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(57) Abstract 



A method and apparatus arc provided, in which a gaming server (II) is responsible for accounting, game play, and payouts, while 
the game console (12) is primarily responsible fur p escming the user interface. In the general case, communication delays arc eliminated 
by geneaiing game outcomes locally to the cc i>- )1 . which will be used to determine game outcome to the console prior to the player 
making heir selection. The random numbers us v e i dictate game outcomes arc generated in a highly secure device and cannot be used 
to d;t r: ihe the correct choice of player ^ciecti< n u i: II icncc the game outcome. When the player makes a selection the random numbers 
are i! o d available to the consol * ; n I l : v \ » » u t. in tr determined and displayed immediately, independent of communication 
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Distributed game accelerator 

Introduction 

The present invention relates to the field of gaming machines and in 
particular the invention provides a method and apparatus for speeding up the 
5 response time of games played over a network, beyond thai, achievable using 
traditional systems. 
Background of the Invention 

Traditionally gaming machines have been provided as stand alone 
devices connected via a network for information gathering, however in the 
10 recent past, distributed gaming systems have been proposed to meet the 
changing needs of the gaming industry. 

In a distributed gaming system games are split across the server and 
console. In its simplest form, when the player presses the 'play* button on 
the console, the console relays that fact to the server. The server may then 
15 decide to start a game, and if so instructs the console to initiate a spinning 
reel display. The spinning reel display will run for a set period and then 
come to a stop with a certain set of symbols showing, as directed by the 
server. The players account is adjusted by the server according to the game 
outcome. The console is instructed of the account details by the server for 
20 display. 

It is a fundamental requirement for security that the game outcome 
and accounting are solely determined by the server. The console simply 
provides a user interface. If the game were to be in any way independently 
controlled by the console then the potential would exist for tampering. 
25 Therefore considerable data must be exchanged between the server and 

console, however communication delays limit the speed and interactivity of 
games. 

The combinations of a game describe the mathematical structure of the 
game and define all possible games, including the winning patterns and the 
30 payouts associated with each. From the combinations the game statistics are 
determined, including the theoretical return to the player. 

A limitation and crucial factor in game play in a traditional distributed 
gaming system is the response time of games to user input. This time is 
determined by network and server response times. If either of these is not 
35 adequate then the user will notice delays in playing the j-hu-h. 
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A game used as an example is the red/black double up. It is a common 
feature game requiring a fast response time. A card is shown face down on 
the display so that the colour cannot be seen. The game selects a colour for 
the card, and the player tries to guess what colour the card is, ie. red or 
5 black. The player has a 50% chance of guessing the correct colour and wins 
double or nothing. 

Consider the red/black double up game. When the player makes a 
selection they expect to instantly be shown the outcome. Any delay must be 
kept small for the game to be playable. In existing systems it was a 
10 requirement that the network did not impose significant delays, or 

* alternatively that games played on the system were designed to make such 
delays less noticeable. 

In this context, the term "outcome" can have two meanings :- 
a) the indicia or images displayed at the end of a game 
15 b) the result of the gamble (ie, win/loss and value of prize). 

The first of these outcomes we will call the 'game outcome' while the 
second we will call the 'gamble outcome'. In most game types, game outcome 
and the gamble outcome are directly linked. However, in some instances, 
such as the red/black gamble referred to above, they are not because the game 
20 outcome is a particular colour of card while the gamble outcome will depend 
upon which colour was selected by the player. The gamble outcome is also 
determined by the size of bet selected by the player.. The term "outcome" 
describes the combination of both the game outcome and the gamble 
outcome. 
25 Summary of the Invention 

According to a first aspect, the present invention provides a method of 
operating a gaining system including al least one gaming console, the console 
including secure storage means and a user interface allowing a user to 
initiate a game and observe a result, the method including the steps of: 
30 storing game or gamble outcome information in the secure storage 

means for use by the console to produce a game or gamble outcome; 
and 

upon receipt of a user input initiating a game, producing a game 
play sequence including a game and/or gamble outcome indication 
35 determined by the game or gamble outcome informatioi; rt ored in the 

secure storage means alone c r in combination with a u.s-i j i nil. 
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According to a second aspect, the present invention provides a gaming 
system including at least one gaming console, the console including secure 
storage means and a user interface allowing a user to initiate a game and 
observe a result, the system including: 
5 secure storage means for storing game or gamble outcome 

information used by the console to produce a game or gamble 
outcome; and 

game control means in the console arranged to receive a user 
input initiating a game and to produce a game play sequence 
in including a game and/or gamble outcome indication determined by 

the game or gamble outcome information stored in the secure storage 
means alone or in combination with a user input. 
According to a . third aspect, the present invention provides a secure 
storage means for use in a gaming console which includes a user interface 
15 allowing a user to initiate a game and observe a result., the secure storage 

means being arranged to store game or gamble outcome informal ion used to 
produce a game or gamble outcome. 

According to a fourth aspect, the present invention provides a secure 
removable control device for use in a gaming console which includes a user 
20 interface allowing a user to initiate a game and observe a result, the control 
device being arranged to generate game or gamble outcome information used 
by the console to produce a game or gamble outcome. 

The information stored in the secure storage means or generated by the 
control device may be a sequential list of outcome information relating to a 
25 sequence of future games to be played on the console, a set of random 
numbers sufficient to generate one or more entire game outcomes, or a 
random number seed from which outcome information relating to a sequence 
of future games to be played on the console is generated by operation of a 
pseudo-random number algorithm. Preferably, the game outcome 
30 information generated by a pseudo-random number algorithm, will be in the 
form of a set of random numbers sufficient to generate an entire game 
outcome. 

In one possible embodiment the outcome informal inn is a random 
number indicating a gamble outcome value and the secure processing means 
35 in the console then chooses a game outcome which will achieve that gamble 
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outcome value, however generally the information will indicate an outcome 
and the gamble outcome value will be determined from the game outcome. 

Preferably the secure storage means or control device is removably 
conncc table to or readable and writable by the console. 
5 In one embodiment, the information relating to future game outcomes 

stored in the secure storage means is stored before the secure storage means 
is connected to the console. Preferably the secure storage means is a 
programmable card which is preprogrammed with outcome information 
before or after acquisition by a user and is inserted into the console by the 
10 user to produce one or more game outcomes on the respective console. 

In one embodiment the production of the game outcome indication is 
performed in a secure processing means connected to the secure storage 
means by way of a secure communications path. 

Preferably also the secure processing means or control device includes 
15 a smartcard or smartcard chip which is either removably inserted into or 
permanently fixed in the console. 

The console and therefore the secure storage means or control device, 
may or may not be connected to the server when the game is played, but in 
either event, when the secure storage means or control device is next 
20 connected to the server, it will generate and send a signal to the server 
indicating that the stored precalculated result has been used. 

According to a further aspect, the present invention provides a virtual 
casino including a plurality of virtual gaming machines (or gaining consoles, 
each gaming machine or console having dedicated accounting, and 
25 combinations, being uniquely identified and capable of being returned to at 
any time by the player provided it is not in use by another player. 

In a virtual casino, as in a traditional casino, if another player is using 
a particular virtual machine then, the player must wait or play another 
machine. Preferably embodiments of the invention will allow a player to 
30 view a virtual machine while il is being played by another player. 

The return remains with the machine for the life of that machine. 
Unused return is mathematically equivalent to money and can thus be 
transferred between games, either as money or combinations changes. To be 
fair to players and prevent the casino from cheating, when player accounts 
35 are shut down, virtual game machines are ended, I he gaining site is to be 

closed, or jackpots are cancelled, etc, the extra accumulated return ow< r! !o 
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players is transferred from the various accounts and 'redistributed among the 
players, as jackpots, credits, combinations, etc. 

Preferably, the game outcome determining data is stored in the secure 
storage means and the game outcome is calculated from the data in a secure 
processing means connected to the sncure storage means by way of a secure 
communications path. 

The data precalculated by the server and sent to the secure storage 
means in the console, may be in the form of a set of random numbers 
sufficient to generate an entire game outcome (ie, 5 random numbers in the 
case of a slot machine with a 5 reel display) or alternatively, the 
precalculated data may be a random seed from which the secure processing 
means may calculate the required number of random numbers using a 
pseudo-random number generating program. In another alternative 
arrangement, the server may calculate an actual game outcome (eg, reel 
stopping positions or indicia) and transmit codes indicating these positions 
although this arrangement is inconvenient in a machine capable of playing 
any one of a number of player selectable games as the server would have to 
precalculate outcomes for each possible game. 

In an alternate embodiment, predetermined outcomes can be 
implemented using a smartcard as the secure storage and processing means, 
with predetermined bets and outcomes stored simply as a list of values. 
Initially all values on the card (except the first which is the initial value of 
the card) are hidden and playing games discloses the values one by one. The 
player may redeem the card at any time for the amount of the last disclosed 
value. The console displays an appropriate game which generates the new 
value. The player buys a smartcard (or downloads values from a casino) with 
a fixed number of values. An advantage of this system is that the casino 
knows the wins and losses of every card released and can adjust the pattern 
of wins and losses as desired. 

In another embodiment a smartcard is provided with a list of 
predetermined outcomes, with the player making bets on each outcome. The 
outcomes are initially hidden and are disclosed one at a time as games are 
played. For each outcome disclosed the player first makes a bet, which is 
vvt i; tt;ii in the smartcard (in non-volatile memory). The total value owed to 
th? ph yer is simply the sum of wins and losses for each bet and outcome. 
'»')■( »] p".r redeems the card for value stored by returning the card. This may 
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be implemented with a very simple anil hence cheap smartcard, requiring 
only secure memory storage with controlled access. In another 
implementation the value is redeemed via secure communications with a 
game server. 

The smartcard may be programmed with multiple functions, only one 
of which is a gaming accelerator. In other modes the smartcard may for 
example be used as an ID card, a credit card, a bankcard (eg. ATM), etc. The 
protocol to access the smartcard maybe an extension to another, perhaps 
primary, mode of the smartcard. 

In yet another possible alternative arrangement, the server calculates a 
number indicating a gamble outcome value (per unit bet) and the secure 
processing means in the console then chooses an outcome which will 
achieve that win value. This arrangement will work better with some games 
than others, although, the concept could be altered to suit each game played. 

In preferred embodiments of the invention, signals generated by the 
server and console to send game outcomes or to indicate game play, arc 
encrypted prior to being sent. 

Preferably, also encrypted signals are each provided with a piece of 
unique information prior to encryption such that different signals containing 
the same game information are not the same after encryption. 

Preferably also, the server includes an auditing function to check the 
game and/or gamble outcome data returned from the secure device in the 
console. 

In one embodiment of the invention, the secure storage and processing 
means is a smart card which may be permanently fixed in the console or may 
be removable and may also be used to carry player identification and credit 
information. Preferably, when a smart card is used as the secure memory 
and processing means, the encryption and decryption in the console of 
signals to and from the server and the game outcome calculation will be 
performed by the smart card. 

In one preferred form of the invention, an hierarchical network of 
gaming servers are provided with the console connected to low order, low 
security network servers which perform low security and routine control and 
communication, while passing high sminlv signals to higher level gaming 
servers having higher security. 
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BrittrPftscriution of the Drawings 

Embodiments of the invention will now be described, by way of 
example, wiili reference In the accompanying drawings in which:- 

Figure 1 is a block diagram of a distributed gaming system; 

Figure 2 is a more detailed block diagram of the server and console 
components of a distributed gaming system of Figure 1; 

Figure 3 is a flow chart showing an initialisation sequence for a system 
according to the present invention; 

Figure 4 is a flow chart showing a sequence of steps in the playing of a 
game on a system according to the present invention; 

Figure 5 is a diagram showing a Blackjack hand as it is initially dealt; 

Figure 6 is a diagram of a message format for a message from the 
smartcard and server; 

Figure 7 is a flow chart showing a random number buffering 
arrangement; 

Figure 8 is a block diagram of a system employing a random number 
server; 

Figure 9 is a block diagram of a distributed gaming system including a 
security server; and 

Figure 10 is a block diagram of a distributed gaming system including a 
network of gaming servers. 
Detailed Description of the Embodiments 

Embodiments of the invention will now be described in which the 
gaming server 11 (refer to figure 1) is responsible for accounting, game play, 
and payouts, while the game console 12 is primarily responsible for 
presenting the user interface. The console 12 may also keep accounts for the 
player and run the game combinations, but only as an aid to the rapid update 
of the display. The real accounts and the combinations are held on the 
server 11 and the player will be paid as the server determines. Although the 
console 12 can in theory be tampered with to affect the combinations and 
accounting any changes will be local to the console 12, and cannot affect the 
accounting on the server 11, and hence payout For the sake of 
completeness, a control terminal 13 is illustrated in figure 1. This control 
terminal is used by the system operator to manage the gaming server 1*1. 
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For a system able to transparently cope with significant delays 
occurring throughout the system several advantages can be derived as 
follows, depending on the embodiment used. 

• A slower response time from the server 11 is allowable. A cheaper, lower 
performance server system may be used. In a multiple server installation 
extra servers may even be eliminated. In addition server software will be 
easier to develop due to the lower performance constraints. . 

• Network delays may be allowed to increase. Cheaper, lower performance 
networking may be allowed. Internet gaming performance can be 
improved. 

• Delays associated with distance arc ultimately limited by the speed of 
light, and cannot be overcome. International delays are therefore 
significant and cannot be reduced beyond a certain point. However 
embodiments of the invention can reduce or eliminate the effect of such 
delays. 

Network and server delays may be eliminated or significantly reduced 
at the console 12 in some circumstances by not waiting for a response from 
the server 11 before giving the player feedback. Some games do not require 
knowledge of the gamble or game outcome to continue, although the game 
cannot be completed until it is known. 

In the general case, the delay can be effectively eliminated by sending 
the random numbers which will be used to determine game or gamble 
outcomes to the console 12 prior to the player making their selection. These 
numbers arc stored in a highly secure device 23 and cannot be used by the 
player (or a cheat) In determine the correct choice of player selection. When 
the player makes a selection the random numbers are already available at the 
console 12 and the game outcome can he determined and displayed 
immediately. 

Games maybe played locally on the console 12 in a similar way to that 
found in a traditional gaming machine. The key difference being that game 
outcomes are not determined by the console 12, and that they are audited by 
the server 11. The players choice is passed to the secure device 23 and it 
informs the console 12 of the subsequent game outcome. An unforgeable 
message is generated !o advise the game server 11 of the game outcome. 

In the embofiinent illustrated in the block diagram of figure-! 2, it will 
bo semi that the s ; \ -v I 1 includes a CPU 14 aud is used to store 
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combinations 16 and to perform random number generation 15, The server 
11 is connected to one or more consoles 12 via a network 17 and each 
console 12 includes a CPU 21, a user interface 22 and a secure storage and 
processing device 23 arranged to provide encryption/decryption functions 24 
5 and game outcome logic 25. 

The secure storage and processing means in the console 12 may be 
achieved by using a relatively standard processor on a separate board within 
a security cage using techniques presently common in the gaming industry or 
these functions may be realised in a secure software routine that 

in continuously checks itself for tampering or makes use of a hardware device 
to constantly monitor itself for validity. The software embodiment, could for 
example make use of a hardware decryption circuit that decrypts the program 
and data on the fly during executions and constantly sends encrypted 
messages to the server 11 to indicate the valid status of the decryption 

15 circuit. 

In the preferred implementation the secure random number storage 
and processing device 23 is an ISO 7816 smartcard (or smartcard chip) with 
embedded microprocessor 21, program ROM and if PROM. The smartcard 23 
is provided with an encryption function 24 either via software or a hardware 

20 accelerator. The smartcard 23 has a 5 pin interface with serial 
communications for connection to a reader in the console 12. 

The smartcard 23 may be inserted into the console 12 by the player or 
embedded within it by the manufacturer. A smartcard or smartcard chip may 
also be enclosed within a module which is inserted into the console 12, tor 

25 example, within a PCMCIA card which is then plugged into a personal 
computer. 

In the following description the smartcard 23 and server 11 are 
sometimes referred to as communicating directly with each other, without 
the aid of the console 12. This is for simplicity of description, but it must be 
30 realised that the console 12 must act as the intermediary. The console 12 
does not interpret or modify any such communications. 

In the following embodiments, the game outcome data is preferably 
transmitted from the server 11 and stored in the console 12 as a random 
number seed from which any number of random numbers required for the 
35 game may be generated. 
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The game server 11 is responsible for accounting, game play, and 
payouts, while the game console 12 is primarily responsible for presenting 
the user interface. The console 12 may also keep accounts for the player and 
run the game combinations, but only as an aid to the rapid update of the user 
5 interface. The real account and combinations is held on the server 11 and 
the player will be paid as the server 11 determines. The console in effect 
presents a simulation of the game that is run on the server, Although the 
console 12 can in theory be tampered with to affect its combinations and 
accounting any changes will be local to the console 12, and cannot affect the 

10 accounting on the server 11, and hence payout. 
Predetermined Outcomes 

In the preferred implementation random numbers within the secure 
storage and processing device 23 are used to generate game outcomes as 
"required by the console 12. In an alternate method, called predetermined 

15 outcomes, the server 11 determines game outcomes prior to games being 
played and securely transmits them to the secure storage and processing 
device 23. When a game is played the console 12 requests one of these game 
outcomes from the secure storage and processing device 23 and produces a 
display appropriate to the outcome. Game outcome messages are preferably 

20 secured using encryption techniques to prevent cheats decoding messages to 
determine the outomces before they are played. Alternately physical security 
of the communicatioos medium may be used. 

For example, consider the red/black double-up game. In the preferred 
implementation the outcome is dependent on the match between the player 

25 selection and random number within the smartcard 23. Using predetermined 
outcomes the secure storage and processing, device 23 contains a 
predetermined win or lose outcome and the player selection makes no 
difference to the game outcome. The console 12 outputs an appropriate win 
or lose display according to the predetermined outcome and player selection. 

30 If the player wins the console 12 shows the hidden card the same colour as 
the players choice, while if the player loses the console shows the opposite 
colour. The secure storage and processing device 23 generates an 
unforgeable message to the server 11 informing it of the outcome selected 
and (lie amount bet. 

35 Consider also slot games. Agc.in outcome is predetermin itl. but with 

the win outcome also containing a viu multiplier which is Ui«: i 1 lUjtli of 
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the bet that the player wins. The console 12 displays the outcome 
appropriate to the win or loss, which may be selected randomly from a range 
of possible win or loss displays. 

The console 12 requests and buffers game outcomes from the server 11 
5 appropriate to the games to be played. Before all of the outcomes have been 
used the console 12 requests replacement outcomes from the server 11. 

In an alternate application, predetermined outcomes can be 
implemented using a smartcard 23 as the secure storage and processing 
device 23, with predetermined bets and outcomes stored simply as a list of 

10 values. Initially all values on the card (except the first which is the initial 
value of the card) are hidden and playing games discloses the values one by 
one. The player may redeem the card at any time for the amount of the last 
disclosed value. The console 12 displays an appropriate game which 
generates the new value. The player buys a smartcard (or downloads values 

15 from a remote casino) with a fixed number of values. An advantage of this 
system is thai the casino knows the wins and losses of every card released 
and can adjust the pattern of wins and losses as desired. 

In another application a smartcard 23 is provided with a list of 
predetermined outcomes, with the player making bets on each outcome. The 

20 outcomes are initially hidden and are disclosed one at a time as games are 
played. For each outcome disclosed the player first makes a bet, which is 
written to the smartcard 23 (in non-volatile memory). The total value owed 
to the player is simply the sum of wins and losses for each bet and outcome. 
The player redeems the card for value stored by returning the card. This may 

25 be implemented with a very simple and hence cheap smartcard, requiring 
only secure memory storage with controlled access. In another 
implementation the value is redeemed via secure communications with a 
game server 11. 

In another implementation the secure storage means and secure 
30 processing means are two separate devices, preferably smartcards. 

Predetermined outcomes and/or bets are loaded from the server to the secure 
storage means. When the secure processing means and secure storage means 
are in communication games maybe played as the secure processing means 
uses the predetermined outcomes stored on the secure storage moans. The 
35 secure storage means may also store the players credit account which is 

gambled on and adjurt mI by tin; secure processing means during game play, 
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or alternatively a separate secure storage means, preferably yet a further 
smartcard or smartcard chip is provided to store credit account information. • 
One application of this implementation is where the secure storage means is 
a multi-application smartcard where the smartcard acts as a secure filing 
5 system. Each application is a separate smartcard with secure access to the 
data file area. The gaming system is simply one of the many applications, 
with the secure processing means being the other smartcard. A secure access 
means provides the off-line communication between server and secure 
storage means to download or update the stored predetermined outcomes 
10 and/or credit information. 
Applications 

In Internet applications the smartcard 23 may be used in conjunction 
with a PC via a standard smartcard interface or an adaptor such as a PCMCIA 
card, or directly connected to a network computing device with built in 

15 smartcard interface (eg. Sony WebTV, Oracle NC). 

The smartcard 23 (or socket) may be integrated with a modem and 
game program memory within a module for a game console (eg Sony 
Playstation or Nintendo Ultra64). The game console 12 is then capable of 
highly interactive gambling. 

20 The smartcard 23 may have multiple functions, only one of which is a 

gaming accelerator. In other modes the smartcard 23 may for example be 
used as an ID card, a credit card, a bankcard (eg. ATM), etc, The protocol to 
access the smartcard 23 may be an extension to another, perhaps primary, 
mode of the smart card. 

25 A secure storage and processing device may be used to enhance , 

security in an otherwise traditional distributed gaining system (such as 
Internet, hotel in-room gaming or on a ship) by securing the game outcome 
determining function of the server. Depending on the implementation used 
and as described elsewhere, random numbers (or game outcomes) are either 

30 generated by the secure storage and processing device or received from a 
random number server at a more secure location. Random numbers (or 
game outcomes) generated at another location are securely (eg. by 
encryption) communicated to the game server and hence secure storage and 
processing device by a communication link or a storage medium such as a 

35 CD-ROM or hard disk. The gam-.j sorvor sends player requests to the socure 
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storage and processing device and receives game outcomes, which it then 
communicates to the player consoles. 
Software method of disguising delays 

Network and server delays may be effectively eliminated at the console 
5 12 in some situations. by not waiting for a response from the server 11 before 
giving the player feedback. The game console 12 must be able to process 
user input and take actions without waiting for commands from the server 
11. For example when the user presses play, a message is sent to the server 
11 as usual, but the reels also start spinning immediately. 

10 To maintain security it is essential that the outcome of games be 

determined only by the server 11, but this does not limit the starting of reel 
spins (or other events), only stopping of the reels. The typical reel spin time 
of three seconds can easily encompass a network/server delay of two seconds 
before the game outcome is received and the reels slow down and stop. 

15 If the response was not received within a set period, say 30 seconds, 

the console 12 would abort the game without the usual stop and clearly 
indicate to the player thai the current game display is invalid, but that a 
game may have taken place. A message is then sent from the console 12 to 
the server 11 indicating a time-out error. Two events may have occurred 

20 The server 11 did not receive a start of game message, therefore the 

game did not take place. A new game may be played. 

The server 11 received the start of game message and played the game, 
but the console 12 did not receive the servers game outcome message. The 
game has taken place and the players account updated, but the player does 

25 not know what happened. The game is redisplayed on the console 12 as soon 
as possible. 

Preferred Implementation 

In the preferred implementation the secure storage and processing 
device 23 is an ISO 7816 smartcard (or smartcard chip) with embedded 
30 microprocessor, program ROM and E^PROM. The smartcard 23 is capable of 
encryption either via software or a hardware accelerator. A smartcard has a 5 
pin interface with serial communications. 

The implementation could also be a microcontroller or a secure multi- 
component module. The key requirement being that it is not possible to 
3r> determine the internal operation of the module, and hence the random 
numbers or security keys. 
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Inilta !isa tion 

Communication must be established between the server 11 and 
smartcard 23 prior in any games taking place. Each smartcard 23 is provided 
with a unique preprogrammed ID number and secret encryption key. 
5 Preferably the ID number and secret encryption keu are encoded into the 
smartcard after manufacture but before distribution to the casino or users. 
The server is informed of the card ID and matching encryption key, which 
will be the same as the smartcards key or different depending on whether 
symmetric or asymetric encryption is used. 

10 Referring to figure 3, during initialisation the console 12 reads 101, 102 

the ID from the smartcard 23 and informs 103, 104 the server 11. The server 
11 uses the ID to look up the encryption key used to communicate with the 
smartcard 23 and allows the console 12 access to the account information 
once the server 11 has authenticated the smartcard 23. The console 12 may 

15 access the players account for information including credit available, game 
preferences and game initialisation, following authentication of the 
smartcard 23 by encrypted communications. 

The ID is not itself required during communication with the smartcard 
23, as due to the encryption, if the wrong ID is supplied communications 

20 cannot take place. An exception to this is in an alternate implementation 
where the same keys are used for all cards, when the ID must be encoded 
into all messages to prevent the same random numbers being played on more 
than one card. Although the ID may be the smartcards public encryption 
key, preferably, in the interests of security this is not disclosed. 

25 Console to server communication of the smartcard ID is one of the few 

types of message that is not encrypted, as it is performed by the console 12 
rather than the smartcard 23. In an alternate implementation these messages 
may also be encrypted using a public key that the server 11 publishes. 
Encrypted messages may thus be sent to the server 11 that only the server is 

30 able to decode. 

Referring again to Figure 3, in the preferred implementation the server 
11 first checks 105 the smartcard 23 for unacknowledged games, and the 
smartcard responds 'JOB with details of the outstanding games it is holding. 
The server then transmits 107 an initial game state to the console 12 and 

35 enables initiation of game play 109. Where the previous game was 

interrupted feq due tc r :nmmunications fail urn or player choice) Ibis 
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restores the last state of the game. Preferably the initial state includes the 
current value of the players account. It may also bo requested during game 
play to ensure that the game simulation that the player sees correctly reflects 
the true account held by the server. 

* 5 In some types of game the combination being played depends on 

previous games, changing during the course of game play. For example, after 
100 games with a return of 85% the player is given 10 games at 90% return. 
This change in combinations affects the long-term return to the player and 
therefore the method of initialisation, which can be one of: 

10 • The server 11 always initialises the game to the same state, maximising 
the return to the server. 
• The last game state is recorded in the player's account and the same state 
is restored during initialisation. 

The last game state of the player is randomly assigned to the next. 

15 player to play that game. This is analogous to the situation in a casino, when 
one player finishes with a gaming machine and the next player starts. The 
average return to the casino does not increase. 
Virtual Casino 

To further simulate an actual casino environment a Virtual Casino may 

20 be created. The Virtual Casino contains a (preferably large) number of 

virtual gaming machines which act like gaining machines in a traditional 
casino. Each has it's own accounting, combinations, etc, is uniquely 
identified and can be returned to at any time by the player, but may only be 
played by one player at a time. If a player is using a particular virtual 

25 machine then as in a traditional casino other players must wait or play 

another machine. Therefore the return remains with the machine for the life 
of that machine. To further simulate a real casino players may be able to 
observe another player play a virtual gaming machine and to start playing 
that virtual gaming machine when the current player ceases. A queue 

30 mechanism may be used where multiple players want to play the same 
virtual gaming machine. 

Unused return is mathematically equivalent to money and can thus be 
transferred between games, either as money or combinations changes. To be 
fair to players and prevent the casino from cheating, when player accounts 

35 are shut down, vi-tual game machines are ended, the gaining site is to be 

closed, or jackpot ; cancelled. cA>:. the extiv accumulated return owed to 
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players is transferred from the various accounts and redistributed among the 
players, as jackpots, credits, combinations, etc. 
Gam*? Play 

In the preferred implementation the smart card generates the random 
5 numbers used to calculate game outcomes from an initial seed set prior to 
use of smart card and optionally periodically updated from the server. 

In an alternate implementation random number seeds are generated by 
the server 11 and sent to the smart card prior to each game. In this 
implementation, the random mimber seed, combined with an auto- 
10 incrementing index (the seed index) is encrypted such that only the smart 
card can decode it. The smartcard 23 uses the seed to generate as many 
random numbers as required for the next game. Each time a new seed is 
generated a unique new index is used. The index is unique to a game and is 
used to identify that game to the server 11 for the game outcome, and again 
15 for the server to acknowledge receipt of the game outcome to the smartcard 
23. 

Figure 4 illustrates the game play sequence, following initialisation in 
Figure 3 and the selection of a game to play. Once the player has selected 
the game type the console 12 sends the selection to the smartcard 23, 

20 together with the game description and amount bet. The smartcard 23 then 
writes the game type, player choice(s), amount bet, game outcome and card 
index to its internal E^PROM memory. The smartcard 23 must inform the 
server 11 of the amount bet, otherwise tampering could occur with the server 
being told that losses had small bets, while wins had large bets. 

25 The console 12 then requests a game outcome, which the smartcard 23 

generates, stores in E 2 PROM and then sends to the console, which can 
immediately display the result to the player. The smartcard 23 also generates 
an unforgeable encrypted game outcome message for the server containing 
the game type, gamble, player choice(s), amount bet game outcome, and card 

30 index which it sends to the console 12, and hence to the server 11. The 

server 11 decrypts the message and is thus informed of the game played and 
is able to adjust the account correctly. The server 11 then sends an 
acknowledgment to the smartcard 23, which responds by erasing that 
outcome from its E 2 PROM. Games are recorded m the smartcards E^PROM 

35 until acknowledged by the server 11. Unacknow ledged games will quickly 
fill the available memory and stop the smarten J ( "c in accepting new games. 
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Security is dependent on il being impossible to determine what 
encrypted message to send back to the server 11 if the wrong choice of 
gamble is made. Only the smartcard has this information. 

The game type uniquely identifies each type of game to the server 11. 
5 Many games may share the same combinations, but each has a different game 
type. Note that the combination type may be sent instead of the game type, 
but auditing (to check popularity of games, for example) is better served by 
sending the game type. 

In another variation, after initialisation (eg. poxver up), the card may 
10 refuse all games until any outstanding game outcomes in E 2 PROM have been 
acknowledged by the server 11. 

So far only the first game has been accelerated. To eliminate delays in 
subsequent games two factors must be considered 

• A new game must be able to take place before the server 11 acknowledges 
15 receipt of the first game outcome. 

• New random numbers must be available immediately. 

When the server 11 has not yet acknowledged the previous game 
before the player starts the next, a number of game outcomes may be stored 
in E 2 PROM, The next game may be played immediately assuming more 

20 random numbers and space is available. Games can continue to be played 

until the limit of E 2 PROM memory is reached, random numbers are no longer 
available, the total value of player losses in outstanding games reaches the 
preset loss limit, etc. 

The server 11 may at times require that all game outcomes outstanding 

25 in the smartcard must be acknowledged, in particular before the player 

collects money from their account. The server 11 may query the smartcard 
for outstanding games, or in an alternate implementation simply maintain a 
list of the random numbers seeds that have not yet been used. 

In the alternative implementation, where the server generates a 

30 random number seed for each game, before a game starts a random number 
seed is generated 108 (refer to Figure 4 and Figure 7) by the server 11, 
combined with the seed index, encrypted, and sent to the console 12 where 
it is stored 121 at or prior to start of game play 123. Referring to Figure 7, 
maintenance of the seed buffer is performed by a background task that 

35 regularly tests 140 the state of the seed buffer in the console 12 and if it 
contri i: less than a predetermined number of seeds, a request 107 is 
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generated to the server 11 for more seeds. As the seeds arc encrypted and 
contain an encrypted sequence number, the buffer does not need to be 
maintained in a secure part of the console 12. 

When a game requires a seed to generate a set of random numbers, the 
5 console 12 tests the buffer 150 to ensure it is not empty and then retrieves 
151 a seed and sends 124 the seed to the smart card where it is received 15 7 
and any required additional random numbers generated. In the event that a 
game requires only one random number, the seed may be used directly as the 
random number, however, where more numbers are required, the smartcard 

10 uses a pseudo-random number algorithm known to the server ll, such that 
the server can predict the numbers generated by the seed. 

Only the smartcard is able to receive and decrypt 124 the seed. 
Referring to figure 4 the smartcard uses the seed to generate 129 as many 
random numbers as required for the next game outcome. Each time a new 

15 seed is generated 108 a unique new index is used. The index is unique to a 
game and is used to identify that game to the server 11 when reporting 130 
the game outcome, and again for the server to acknowledge receipt 132, 133 
of the game outcome to the smartcard. 

Once the type of game has been selected 123 by the player the console 

20 12 waits 125 for the player to press play 126 and then sends this information 
to the smartcard with a request 127 for a game outcome, together with the 
game type and amount bet. The smartcard then writes 128 the received seed 
index or card index, game type, gamble type ; player choice, amount bet and 
outcome (note: the outcome is not strictly required as the server is also able 

25 determine it) to its internal E 2 PROM memory. 

The smartcard informs the server 11 of the amount bet otherwise 
tampering could occur with the server being told that loses had small bets, 
while wins had large bets. 

The game outcome 131 is then sent to the console 12, which can 

30 immediately display the result to the player. The smartcard also generates 
129 an unforgeable encrypted game outcome message for the server 11 
containing the seed index, game type, gamble type, player choice, amount 
bet and game outcome, which il sends lo the console 12, and hence 130 to 
the server. The server 11 decrypts the message and is thus informed of the 

35 game played and is able to adjust 132 the account correctly. The server 11 
then sends 133 an acxnowled< i icnt to the smartcard which responds by 
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erasing 134 the outcome from its E 2 PROM. When the game is complete 135 
the console 12 wails 125 for another player input 126 to commence another 
game. 

Security is dependent on it being impossible to determine what 
encrypted message to send back to the server ll.if the wrong choice of 
gamble is made. Only the smartcard knows this and this information is not 
accessible 

When each new random number seed is received the embedded index 
is checked against that of the most recent game outcome stored in E z PROM. 
There are three possible outcomes; 

• The received index is newer (ie. larger) than that of the last stored game, 
indicating that it is a new seed, for a new game. 

• The received index is the same as the stored index, indicating that the 
game has already taken place, and the console 12 is so informed. No new 
gamble choice will be accepted. This may occur if the system aborted the 
game without completing the transaction (ie. power down) to the console 
12 ; or server 11. It also acts to prevent cheating where the encrypted 
random numbers are resent and the gamble is tried again with a different 
choice. 

• The received index is older (i.e. less) than that of the last stored games. 
This is either the result of an error in the system or an attempt at cheating. 
This condition is signalled back to the console 12 and the set of random 
numbers discarded. 

In a variation on the implementation described above, the index must 
be the next in the sequence for the smartcard to accept the communication. 
For example, if the last index was 1000, the next must be 1001. 

In another variation, after initialisation, (ie, power up) the card may 
refuse all games until any outstanding game outcomes in E 2 PKOM have been 
acknowledged by the server 11. 

Where taxes are required to be paid to government these may be 
calculated from the player accounts. 
High Loss Gambles 

If the value of a gamble is large it may easily exceed the value of the 
smartcard. If the smartcard is destroyed then any losses outstanding on the 
smartcard and of which Ihe server 11 is nc! a /vare are lost with the smartcard 
and the player will not have their accoui.t c i t i< : server debited with the loss. 
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In soine cases it would therefore be in the players best interest to destroy the 
srnartcard and avoid large losses. 

A loss limit is programmed into the srnartcard. to prevent a single 
gamble or a scries of gambles above the set limit. The loss limit is set by the 
5 srnartcard issuer In be lhat value al which it is not worth tampering with the 
srnartcard in this way. In applications where the srnartcard is physically 
secure and there is no question of such tampering, as in a traditional casino 
environment, a loss limit is not required. 

When a series of gambles has been made and are still outstanding 
10 (unacknowledged) on the srnartcard, the order of notifying the server II of 
game outcomes may be modified to give priority to losses over wins. 

One or more of the following methods may be used to deal with high 
loss games 

• The player is charged for a new srnartcard. For example a player paying 
15 $50 for a srnartcard will not profit by destroying a srnartcard with only $50 

losses on it The loss limit in this case may be $50. 

• The loss limit is set to such a point that even though it is possible to make 
money by destroying the srnartcard it is not economically worthwhile. 

• The issuer may detect players who regularly destroy cards and refuse 

20 further business with them. Analysis software on the server 11 or off-line 

aids in detecting suspicious activity. 

• The player makes a guarantee to the server 11 for a play limit. If the 
srnartcard is destroyed the player forfeits the amount guaranteed. For 
example the player guarantees $500, and the server 11 instructs the 

25 srnartcard of a new loss limit of $500. This is analogous to transferring 

money into the srnartcard and if the srnartcard is destroyed Hie player 
loses $500. 

• The player may only be able to withdraw money from their account on the 
server 11 by using the srnartcard. If the account is in net credit then the 

30 player would have te keep the srnartcard safe. 

• The player must present the srnartcard in person to colled winnings, so 
that I he srnartcard can be physically examined. This would typically be 
used if tampering were suspected or the value of the win was large. 

• The system may revert to Ihe traditional distributed gaming mode* for high 
35 value gambles, where games arc played directly from the server 11 and the 

srnartcard is not used. The gamble is set up on I hi; server 11. the outcome 
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solely determined by the server after the player selection and then 
transmitted to the console 12. 

• For high value gambles the console 12 requests a gamble amount from the 
server 11. -The player is then committed to gambling this value or 

5 cancelling it via the correct (secure) method. The server 11 responds with 

an encrypted gamble confirmation message to the smartcard which allows 
the game to proceed. If tampering takes place-; and the server 11 never 
receives a response from the smartcard, the player forfeits the gamble 
amount initially set up on the server. This method has the delays 
10 associated with the traditional method and that this invention is designed 

to eliminate. 

• The smartcard may be a multipurpose card, and destroying it may not be 
worth the trouble caused, due to the nature of the other functions. It may, 
for example, also be a bank or credit card. 

15 An attempt may be made to tamper with the system by deleting a 

losing game outcome message before it reaches the server 11, or system 
errors may cause the loss of messages. Therefore the previous game is stored 
in E 2 PROM until the server 11 acknowledges receipt (with an unforgeable 
message) of Uih encrypted game outcome message for that game, upon which 

20 it may be deleted. The encrypted acknowledge message will at least include 
an acknowledge code and the card index that identifies that game. One or 
more of the following methods may be used to detect and prevent tampering 
where losing messages are deleted. 

The server 11 monitors responses from the console 12 and quickly 

25 detects lost messages. This is possible using the card index and/or in an 

alternate implementation the random number seed index. If the cause of lost 
messages is determined to be the player he is deterred from tampering. 

When a message is lost the server 11 cannot acknowledge that game. II 
will remain in the cards E 2 PROM and contribute to the loss limit and 

30 memory space taken up. Eventually the smartcard will become unusable. 
Game outcomes are stored in the sinarlcards E^PROM until 
acknowledged by the server 11. In one implementation, any subsequent 
communications between the smartcard and server allows the server 11 to 
uncover these stored outcomes. Therefore to lose messages the smartcard 

35 may never again communicate with the server 11. In this implementation all 
tjamc ( utcome rn^sagws to the server 11 may additionally contain the 
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number of game outcomes stored in the smartcard, The server 11 may then 
request these game outcomes from the smartcard. 
Game and Function Description To Smart Card 

The console 12 informs the smartcard, and hence the server 11, of the 
5 game type to be played. Theoretically this is sufficient for the smartcard to 
know the combinations for that game and the gamble that is about to take 
place. However a smartcard preprogrammed with this information will not 
be able to deal with new games, and Ihe large number of possible games may 
overrun its memory capacity. Therefore in practice it is preferable for the 
10 console 12 to also describe the gamble to the smartcard and hence the 
server 11. 

The game is described to the smartcard using a minimal number of 
generic descriptions or commands. For some games the generic commands 
may not be adequate to describe the game and game specific commands may 
15 need to be added. As the smartcard contains a microprocessor virtually any 
type of game command may be added. In response to a command the 
smartcard generates a response, stores the appropriate information in the 
E 2 PROM (for later transmission to the server 11) and then sends a response to 
the console 12. Generally a game is described by: 
20 • The console 12 sends a message to the smart card describing some state of 
the game to the snrvnr 1 1. The card does not interpret the message, but 
encodes it for transmission to the server 11. By sending the message to the 
smartcard the console 12 proves lo the server 11 that the message (eg. a 
player selection) was made at a particular point in the game. Messages 
25 include start of game, end of game, player selections, game type, amount 

bet etc. 

• The smartcard generates an array of M random numbers, each in the range 
1 to N. The numbers may be independently selected (ic duplicates may 
exist) or of unique values. The console 12 subsequently requests numbers 
30 from the array, with the smartcard recording the requests and values for 

transmission to the server 11. Note that a request for a single random 
number in the range 1 to N is a simple case of an array in which M = 1. 
When an array is required exceeding the maximum memory capacity 
of the smartcard the array is split into multiple sub-arrays that are generated 
35 independently. Using a selection algorithm that is common to both console 
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12 and server 11 the arrays are merged (in the console 12 and server 11) and 
if necessary duplicate values, are reselected from the sinartcard. 

Many games have a fixed sequence of events, however the sequence of 
events in some games depends on the actions of the player. The server 11 
5 must be able to determine the end of a gamble to update the players account 
Preferably the console 12 informs the smartcard, and hence the server of the 
start and end of games, although this may not be necessary for some types of 
game in which these are implicit. For example, a winning slot game may be 
followed by a sequence of up to 5 double-ups. The server 11 is able to 
10 determine that the game ends if the player loses on the slot game or any of 
the double-ups, but must be informed if the player chooses not to play the 
double-ups. 

Card games (eg blackjack) usually deal cards from a single deck of 52, 
which is reshuffled for each game. Traditional casino games usually deal 

15 from a deck of 6 packs of cards, to hinder card counting. Games using 6 
packs of cards can be handled in two ways. Preferably cards (random 
numbers) are selected from the smartcard independently and sequentially. If 
a card is selected that has already been selected 6 or more times then it is 
reselected until a valid card is selected. Alternately a special game 

20 description command can be added that is able to generate an array 
representing 0 shuffled packs of cards. 

Another example of a special game description command is the use of 
multiple arrays. The preferred implemenialion is able to generate and select 
values from only one array. If a game were implemented that required 

25 generation and selection of multiple arrays, extra commands would need to 
be added. Preferably when such commands are added compatibility with old 
games is maintained. 
Double-Up Game Description 

In red/black double-up the player chooses a number (colour) between 1 

30 and 2 which the console 12 sends to the smartcard as a message to the server 
11. The console 12 then requests the smartcard to generate a random 
number between 1 and 2. If the player selection matches the smartcard 
selection the player wins, otherwise the player loses. Bolh Hie console 12 
and server 11 can determine the game outcome from the player choice and 

35 the smartcards randomly determined choice. 
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Alternatively the smartcard first generates the random number, the 
player selects a colour,* and only then does the s mar I card disclose the colour 
chosen. 

Using the card index the server 11 verifies the player selected the card 
5 colour before the colour was disclosed by the smartcard. 
Odds Gamble Game Description 

An odds gamble is similar to double up, except the player chooses the 
odds to play. The odds chosen are both the random number range and the 
amount by which the stake will be multiplied if the player wins. 
10 Preferably the player chooses the odds, N to 1 (eg. 2:1 or 3:1), and the 

smartcard generates a random number in the range 1 to N. If the random 
number is the winning value (eg 1) the player wins, otherwise the player 
loses. 

Alternately the player chooses the odds ; N to 1, then makes a selection. 

15 The game is described to the smartcard as a player selection of a number 

(from 1 to N) followed by a smartcard generated random number in the range 
1 to N. If player and smartcard selections match the player wins. 
Slots Game Description 

A typical spinning reel slot game has 3 reels, each of 30 symbols with 3 

20 symbols from each reel visible to the player on the screen. This particular 

game requires the generation of 3 independent random numbers in the range 
1 to 30, representing the final stopping positions of each of the 3 reels. A 
choice made by the player is not applicable in this situation. 

The console 12 requests an array of 3 independently selected random 

25 numbers from the smartcard, each random number being in the range 1 to 30. 
The smartcard then returns the result to the console 12 and server 11, as to 
which of the N possibilities was randomly selected for each selection in the 
array of M, as described previously. In the case that reel strips have different 
numbers of stop positions a random number is generaled in the appropriate 

30 range for each. 

Blackjack Game Description 

The game of blackjack is more complex and requires a game specific 
command. In one implementation of blackjack four cards 201, 202, 203, 204 
are sclc ;ted from a deck, two for the dealer 201. 202 and two for the player 

35 203,204 ( S je Figure 5). Oiui of the dealer's. cards 201 and both player cards 
a v di-q I \ ed to the player. The other dealer card 202 is hidden. If the . 



WO 98/35309 



PCT/AU98/00072 



displayed dealer card is an ace the player may choose lo take an insurance 
bet; against a dealer blackjack (ie that the hidden card has a count of ten). If 
the dealer has a blackjack the fjame ends and the player is paid a win only if 
they took an insurance bet. If the dealer did not have a blackjack the game 
5 continues. Using the usual rules of blackjack the player and dealer choose 
additional cards from the deck. 

First, a shuffled deck of cards is created by generating an array of up to 
fifty two unique random numbers, each in the range one lo fifty two. Next 
the console 12 reads three of the cards from the array and displays to the 

10 player the two player cards 203, 204 and one dealer card 201, leaving the 

second dealer card 202 displayed facedown. If the displayed dealer card is 
an ace then using a blackjack specific command the console 12 checks if the 
second dealer card 202 has a count of ten. The smartcard does not disclose 
the actual value of the card 202, only if it had a count of ten, or not. 

15 Additional player cards are selected as required from the remaining numbers 
in the array. 

Kcno Game Description 

To play Keno the player selects X unique numbers in the range 1 to Z 
and the console 12 selects Y unique numbers in the range 1 to Z, Typically X 

20 = 10, Y = 20, and Z = 80. The console 12 compares the X player selected 

numbers with the Y console selected numbers and pays the player according 
to the number that match. 

First the player makes a selection of X numbers, which are sent as a 
message for the server 11 to the smartcard. This proves the player selection 

25 before the smartcard generates the console selection 

The console 12 then requests the smartcard to generate an array of Y unique 
numbers in the range 1 to Z and reads the generated numbers. The console 
12 reads these numbers and scores the game according to the quantity that 
match. 

30 Accounting Description 

In the preferred implementation the server performs accounting. 
Alternatly the smartcard may also be used to perform accounting to allow 
independant auditing of player gambling and hence provide enhanced 
security against tampering at the server and help in resolving player disputes. 
35 Although the console can keep accounts these are not secure and arc 
therefore of limited value. In this implementation an extr;; Junction 
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description is used for the player bet, so that the smartcard can keep 
appropriate accounting of bets, wins and losses. These accounts may be read 
independently (of the server) from the smartcard but cannol be. modified, 
except by the playing of games. 
Download of Code to the Smartcard 

To increase flexibility of the smartcard, code may be downloaded to it 
from the console 12. Security of the smartcard may be maintained in two 
ways: 

• The code that can be executed is restricted such that no possible code that 
is downloaded can compromise security. A simple interpreted language 
could easily satisfy this condition. 

• Downloaded code, is encrypted such that only an' authorised source could 
have generated it. Alternately a digital signature is used to show that the 
code is from an approved source. 

A copy of the code or a one way hash function of it, is sent from the 
smartcard to the server 11 as a means of verification, with the server 
confirming the code before it is executed. 
Off-line Gaming 

The smartcard may be used in off-line gaming, in which the games 
may he played without continuous communication with. a server 11. 

The smartcard is used to generate and record game outcomes of games 
played without communication to the server 11. When communication is re- 
established with the server 11 the recorded games arc sent to the server for 
verification and account update. 

• A personal gaming machine comprising of a small hand held console, 
similar in concept to a "Gamcboy rM " games console or Radica: ™ gaming 
toy, into which the smartcard is either inserted by the player or embedded 
by the manufacturer. 

• A traditional gaming machine with enhanced security features provided by 
an embedded smartcard. 

• Gaining on a home or business computer, with the computer as the 
console 12. Credits may lie transferred to the card via a communications 
link to the casino. The computer maybe an Internet terminal and credits 
transferred via Internet. 

• A plug in module for a game console 12 (eg. Sony Playstation or Nintendo 
Ultra64), containing the game program (name data) for the console J2 and 
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the smart card. The module may additionally have a modem for 

communications; 

In an off-line gaming application the number of games played is 
limited by the noh- volatile storage available on the card and therefore data 
compression techniques may be used to increase the data storage capacity of 
the card. 

Alternately the card may perform verification of the combinations for 
games itself instead of sending the game descriptions to the server 11. 
Therefore, the game descriptions are not stored within the card (except for 
the most recent, as required for game recall), saving space and increasing the 
number of games that may be played independently of the server. 11. The 
server 11 need only check the total of wins and losses for these games. 
However, only games with combinations known to the smartcard can be 
compressed in this way. Any other game combinations played take the usual 
amount of non-volatile storage. In this implementation both the smartcard 
and console 12 may store game descriptions intended for later 
communication to the server 11, but they are not essential for security. 
Server Verification Of Games 

The server 11 verifies the games played on the console 12 using the 
game description message from the smartcard. At least the following checks 
are made: 

• If implemented, the server 11 checks that the random number seed index 
is valid. 

• The game descriptions are consistent with the game type selected. 

• The gamble is correct for the game type played. 

• The amount bet is valid, including maximum bet, maximum win, etc. 

• The game has been fully described and that no messages from the 
smartcard are missing. 

• The server 11 may know the initial random number and hence be able to 
calculate all future random numbers, II can therefore check the random 
numbers generated by the smartcard. 

For example, a game may allow up to five red/black double ups 
following a win on a spinning reel game. The server 11 would check that the 
double up "c Hewed a win, that no more than five double ups were played, 
that each s i ; essive double up was played only as a result of a win on the 
previous { \ .a iJ thai the odds described to the smartcard for each game 



WO 98/35309 



PCT/AU98/00072 



28 

were correct. The gamble is not complete until the last double up "has been 
' played, and preferably the end of game message has been sent. The server 1 I 

cannot update the account until each of the outcomes is known, in the 

correct sequence. The game type is therefore different for each of the games 
5 played (ie. (here are a maximum of six game types played), or another field 

is added to the game description message to describe which game in the 

sequence is being played. 

Additionally games maybe validated by another server 11 whose sole 

purpose is to verify games. All communications between smartcard and 
10 server 11 are copied to the verification server by the game server. The 

verification server 11 must know the encryption keys used for 

communication between game server and smartcards 23. A jurisdictional 

body may, for example, use a verification server 11 to verify the correct 

operation of the casinos operating within its authority. 
15 Optionally, the encrypted game outcome messages from the smartcard 

to server include the random numbers used to determine the game outcome. 

The server verifies that the random numbers produce the specified game 

outcomes and that the random numbers are valid (either by checking Ihe 

sequence or statistical tests). 
20 Game Recovery 

In the event of an interruption to the game sequence (power down, 

communications failure, console failure etc.) it is possible to recover to the 

same position in the sequence via several means, including; 

• The console 12 may have non-volatile storage from which it can recover its 
25 previous state of play. 

• Outstanding game outcomes in the smartcard are first transmitted to the 
server 11. Once all game outcomes have been acknowledged, the server 11 
has a complete record of the state of game play and the console 12 may 
then request the current stale. 

30 • In an alternate implementation the smartcard stores information sufficient 
to restore a game in its non-volatile memory, which is passed on request 
from the smartcard to console 12. 
Communications N 
Prior to encryption messages may include a message type 
35 identification code and a message integrity code (eg. CRC or checksum or 
secure hash). An additional integrity code added v.i-v.v mcryplion i-msures 
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successful transmission of data over the communications link between the 
server 11 and console 12. Therefore, when either the smart card ur server 11 
detects errors within the encrypted message either may assume that those are 
not communication errors and that tampering is taking place and hence take 
5 appropriate action. 

The console 12 may require secure communications with the server 11 
separate to that required by the smartcard. This may include the need to 
download game graphics, sound and code, or player account information- 
Two methods may be used to accomplish this: 
10' • The servers 11 and console 12 communicate using the smartcard as the 

encryption means. The console 12 effectively encrypts and decrypts data 
using the smartcard as the encryption engine. 

• The console 12 requests an encryption key from the server 11 for the game 
session. The key is generated by the server 11, encrypted, and sent to the 

15 smartcard. The smartcard decrypts the key and gives it to the console 12 

which then uses it for private communications with the server 11. 
In a variation on the preferred implementation the console 12 or 
smartcard suspends games when communication delays with the server 11 
exceed a preset time limit, thus ensuring that when the server or network is 
20 not operating the console does not play games. 
Server To Smart Card Messages 

The server 11 and hence the console 12, may send the following 
messages to the smartcard, as described elsewhere in this document: 

• Send random number seed to the smartcard. 

25 • Request previous game outcomes from the smarlcard. 

• Request last game outcome from the smartcard. 

• Request Card ID (or public key) from the smartcard. 

• Send game outcome receipt acknowledge to the smartcard. 

• Security poll requiring an immediate and unforgeable response. 

30 Messages from the server 11 are encrypted to prevent eavesdropping or 

tampering, especially where game outcomes and random numbers are being 
sent. The server 11 unforgeably identifies itself to the smartcard in its 
communications by: 

• Encrypting messages using the smartcards encryption key, if that key is 
35 secret and shared only between the server 11 and smartcard. 
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• By the server 11 having at least one other encryption key that is a secret 
known only to the server and smartcard(s). 

• By the server 11 having a public key pair and encrypting or signing 
messages with its private key. The smartcard(s) verify messages with the 

5- public key. 

To ensure cryptographic freshness and prevent attacts by replaying 
messages to the smartcard, the message may contain two additional fields 
(similar to those in smartcard to server messages) in which; 

• A randomising code ensures that otherwise identical messages produce 
10 different messages when encrypted. 

• An index field is used to determine if the message is fresh. Typically this 
field contains an incrementing 32-bit number and for a message to be valid 
it must contain a larger index number than the last valid message. 

A replay attact might, for example, replay the transmission of a random 

15 number seed and cause it to be reused. The optimum game choices could 
then easily be determined. 
Smart Card To Server Messages 

Each command sent to the smartcard used to describe games or 
generate game outcomes for the console 12 also generates an encrypted and 

20 unforgcablc message to the server 11 (See Figure 6). Each type of game 

description or command will cause a different type of message to the server 
11 to be generated. Each message is comprised of the card index, game 
description and optional integrity code (eg. checksum orCRC), which is then 
encrypted. Therefore four basic messages types arc used (message from 

25 console 12 to server 11, random number array generation and selection, and 
the blackjack specific command) with more being added as required. 

The card index is used to uniquely identify and sequence each game 
description sent from console 12 to the smart card, and hence to the server 
11, It is automatically incremented for each description and used by the 

30 server 11 to determine the order and completeness of all games. Typically 
the card index is a 32-bit number. For example, if the server 11 receives 
messages with card indexes of one and three only, it knows that it is missing 
message two. If a message is lost and needs to be resent to the server 11 the 
original card index is used a;ii the message is identical except in an 

35 implementation where a ran i onising number is included in the message. It 
aiso knows that game d< s -i > mi two was nuidt-; after description one, and 
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that three was after two. The card index also prevents tampering by replay 
attacts in which messages . are recorded and resent to the server. 

To improve security a randomising code may be included in the 
encrypted message to ensure that every message from the smartcard is 
5 unique, even if it contains otherwise identical data. The randomising code is 
different for each transmission and would typically be a simple count value 
or random number. The server 11 ignores the randomising code. 

In the alternate implementation where random number seeds arc 
generated by the server 11 the encrypted game outcome message sent from 

10 the smartcard to the server also includes the index number that was received 
with the random number seed used for that game. Including the index 
ensures thai all packets of encrypted data sent back to the server 11 are 
unique, and that a previous winning game outcome message cannot be resent 
to the server. The server 11 checks the index number to ensure that this 

15 game outcome has not been previously recorded. Old messages or messages 
for games that have never occurred are evidence of attempted tampering. 
The random numbers may also be included in this return packet as further 
confirmation. 

Messages to and from the smartcard may be combined reduce the 
20 amount of data transmitted and the response time. The response time of Ihe 
card to game commands is composed of communications times, command 
processing time, and E x PROM write time. Therefore to reduce the response; 
time commands to, and results from, the smartcard may be combined. For 
example, if the E 2 PROM write time is 5ms, three commands each resulting in 
25 writes to E 2 PROM would require at least 15ms. However if the commands 
arc combined only a single 5ms E 2 PROM write is required, saving 10ms. 

Attacks on smartcard security may be attempted by timing analysis of 
smartcard responses to commands from the console 12. Two methods may 
be used to prevent this: 
30 • A small random time delay may be introduced into all communication 
from the smartcard to the console 12. 
• All responses from the smartcard are delayed to the maximum time that 
Liny response could take. All messages therefore take the same amount of 
time from initiation. 
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Random Number Generation 

The random numbers used to determine game outcomes are generated 
either within the smartcard, by the server 11 and sent to the smartcard. or a 
combination of both. 
5 Smartcard Generated Random Numbers 

In the preferred implementation the smartcard generates the random 
numbers required for outcomes from an initial seed. The seed may be set 
once during configuration/manufacture or updated at various times by the 
server 11. An implementation that does not allow the server 11 to update the 
10 seed eliminates the possibility that a compromised server can he used to 

influence or determine the game outcome and hence cheat the system. In an 
implementation in which the random number seed can be updated the 
principals set forth for server generated random numbers are also applicable. 

An obvious point of attack is the random number generator as it is on 
15 the smartcard. An automated attack can play a large number of games and 
record the outcomes to try to determine the random number sequence. One 
or more of the following methods can be used to prevent this attack: 

• The random number generator is resceded from the server 11 periodically. 
Each time the generator is reseeded the attack analysis would have to 

20 restart. 

• When the set limit on the generator is reached without a new seed the 
smartcard refuses to accept new gambles, 

• The delay between generating random numbers can be sufficiently large 
that it takes too long lo determine the sequence by exhaustive trial. 

25 • The generator used is unpredictable, even if its output can be recorded. 

• The results output from the smartcard do not indicate the exact random 
number generated, only a region in which it falls. Thus the random 
number is quantised, becoming much harder to determine. 

• An automated attack would preferably be made without gambling and 
30 thereby losing money. Therefore zero value gambles are either not 

allowed or enable a different type of random number generator. If this 
generator is compromised it is of no help in real games. 

• The smartcard generates an internal random number from an initial seed 
sel during manufacture and combines (eg. exclusive or) it with a random 

35 number generated with a seed sent from the server 11. The random 
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number sequence therefore changes when a new server seed is sent, but a 
compromised server cannot influence the outcome of games. 
Server Generated Random Numbers 

In this alternate implementation the server 11 generates random 
5 numbers and transmits them to the smartcard prior to the game requiring 

them. The server may generate all the random numbers required for games, 
but preferably a single random number seed is used to generate all the 
random numbers required for a game, reducing the amount of data 
transferred. For example, a five-reel slot game requires at least five random 
10 numbers, but five random numbers are easily generated from a single random 
number seed. 

In a variation encrypted random seeds must be used within a set time 
period. Seeds having a limited lifetime, of say 1 hour, shorten the time seeds 
are available for malicious decrypting. Both encrypted and non-encrypted 
15 'use by dates' are attached to each encrypted seed to enable the console 12 
and smartcard to discard seeds that are no longer valid. If a game is played 
with an invalid seed the server 11 will declare that game void. To prevent 
tampering whereby messages about losing games are delayed and voided by 
the server only wins are voided, not losses. 
20 In another variation random numbers are continually sent to the 

^ smartcanl. The smartcard discards all those that it does not use, and 
optionally informs the server 11 that it has done so. 

When the console 12 is initialised for game play it requires random 
number seeds for the smartcard. These may be stored locally from the 
25 previous game session or will be generated on request, by the server 11. The 
console 12 stores multiple seeds in a buffer (Figure 7), the quantity being 
determined by the delay associated in requesting more over the network. 

The console 12 or an intermediate level server in an hierarchical 
system may store seeds and these can be used in a new session. The console 
30 12 is therefore able to immediately supply random number seeds to the 

smartcard as required and when the console buffer runs low it will request 
more from the server 11. 

Where the random number seeds are sent with a unique index the 
.server 11 may need to determine the last seed used by the smartcard, to 
35 enable the next numbers in the sequence to be generated. In this 
mjil Mii MLlalton the servei H j s ablt? In query the smartcard during 
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initialisation for the sequence number (or entire game outcome message) of 
the last game played. 

Ia an alternative implementation, random number seeds are sent from 
the server 11 with an embedded index number, which is returned to the 
5 server with the game outcome that was created with that random number. 

The index number prevents cheating where a random number seed is reused 
and further enables the server 11 to verify game outcomes. When each new 
random number seed is received the embedded index is checked against that 
of the most recent game outcome stored in E 2 PROM. There are three possible 
10 outcomes: 

• The received index is newer (ic. larger) than that of the last. stored game, 
indicating that it is a new seed, for a new game. 

• The received index is the same as the stored index, indicating that the 
game has already taken place, and the console 12 is so informed. No new 

15 gamble choice will be accepted. 

• The received index is older (ie. less) than that of the last stored game. 
This is either Hie result of an error in the system or an attempt at cheating. 
This condition is signalled back to the console 12 and the random number 
seed discarded. 

20 Optionally the index must be the next in the sequence for the 

smartcard to accept the communication. For example, if the last index was 
1000, the next must be 1001. In an alternate implementation is for the next 
random number seed to be sent in response lu the encrypted game outcome 
for the last game being received by the server 11. However, a delay may 

25 occur before the next game if sufficient seeds are not available during 
subsequent games. 
Random Number Server 

In a variation on server generated random numbers and to increase 
security or control over gaming (by government jurisdiction), a random 

30 number server 114 (Figure 8) may be used to create random number seeds. 
The random number server 114 generates and encrypts seeds using an 
encryption key not known to the game server(s) 11 and sends them lo the 
game server(s) 11 for distribution to the player consoles 12 and hence 
smartcards 23. It is the refer-; not possible for a compromised server to be 

35 used to influence or detennin s the outcome of games. 
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Random seeds may be encoded such that they can only be used by a 
specific smartcard, to reduce the possibility of cheating by sending the same 
seed to multiple smartcards. 

The smartcard may generate an acknowledgment message to confirm 
that it has received the random number seed, xvhith the game (or 
verification) servers then use to verify the correct operation if the system. 
When sending the acknowledgment message, the smartcards card index is 
incremented, allowing the game (or verification) server to detect when the 
same random number has been used by multiple smartcards, as 
acknowledgments cannot be deleted without detection. 

Multiple sources of random numbers may be combined within the 
smartcard to produce the random number to be used to generate the game 
outcome. The multiple sources may be used for each random number 
required or periodically used to randomise the sequence further, for example, 
the server 11 sends the smartcard its own random number together with that 
from two independent random number servers 114. The smartcard in 
addition has its own random number generator seeded during manufacture of 
the card. The four random numbers are combined (eg. exclusive or) to form 
the random number(s) used to generate a game outcome. So long as at least 
one of the sources of a random number is not compromised the game 
outcome cannot be influenced or predicted. 
Security 

Preferably security will be provided in signals transmitted between a 
game server and a smartcard by use of cryptographic techniques, with the 
following general principles being employed: 

1. All critical transmissions will be encrypted using state-of-the-art 
encryption schemes; 

2. Key management schemes will be used to ensure the security of IDs 
and keys; 

3. The freshness of all transmissions will be ensured and monitored 

4. Mutual authentication of principals will be routinely implemented. 

5. Cryptographically strong, unbiased pseudo-random number generators 
will be used through-out the implementation. 

In applications where the smartcard is associated with a single player 
or account (such as Internet gaming) it is an ideal means of identifying the 
plavor to the console 12. Preferably in prevent i inuthorisod use of thvj 
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smartcard players arc required to identify themselves to the sniartcard in 
order for it to function, typically using a pin number, password orbiomelric 
identification. Multiple accounts (eg. members of a family) may be accessed 
using a single smartcard and multiple pins, passwords or biometric 
identification. 

Although smartcards are very hard to compromise, they cannot be 
assumed to be perfectly secure. The potential for breaking the security on 
the smartcard is acknowledged and the system designed to minimise the 
damage caused. One or more of the following methods may be used to 
improve security or detect or limit damage: 

• A measure of physical security may be provided when the smartcard is not 
player accessible. This is only applicable in situations where the player is 
not required to access the smartcard. 

• A different encryption key is used on each smartcard.. so that if one 
smartcard is compromised not all cards are compromised. 

• The smartcard issuer (eg. Casino) may retain the ownership rights to cards 
and can reclaim a smartcard at any time. This allows them to check for 
physical compromise and remove any cards from use that seem to be 
suspicious. 

• The server 11 can cancel a smartcard. The server 11 will not allow any 
transactions with that smartcard and may notify its human attendants of 
any such attempts. 

• To prevent stolen cards being used I lit- card ID is programmed when the 
cards are manufactured. Cards cannot be used without the server 11 
knowing the card ID and hence stolen cards cannot (safely) be used. 

• When the smartcard detects attempted tampering via erroneous requests it 
may respond with a randomly generated response message that appears 
the same as a correct response, but is meaningless. 

• When the smartcard detects attempted tampering via erroneous requests it 
may delay its response to the next request by a significant time. 
Automated tampering will be slowed down to the point of worthlessness, 
but normal activity will never encounter delays. 

• The server 11 examines the pattern wins and losses associated with 
individual cards for evidence of tampering. For example, if the return to 
the player exceeds the statistically likely amount or a statistically 
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significant distribution exists in the size of bets between wins and losses 
(ic. large bets on wins and small bets on losses). 
• A smartcard that is used from a second location at a distance from the first 
location that is impossible to reach in the time between uses. This may 
5 indicate duplicate smartcards 23. 

In some applications where the smartcard is continuously online, 
such as hotel in-room gaming, security may be enhanced by the server 11 
periodically establishing secure communications with the smartcard. Only 
the smartcard is able to correctly respond, hence there is some assurance that 
10 the smartcard is not being tampered with. In addition the smartcard may 
require a similar response from the server 11. to check for itself that 
tampering is not taking place, and take appropriate action (eg shut down] if it 
is. 

Verifiability of the smartcard may be enhanced by a command causing 
15 the smartcard to dump its entire memory contents. Security demands that 

this command can only be issued by an authorised source, typically a server 

11 (in which case the memory dump may be encrypted) or test equipment. 

Preferably the command is encrypted using the server 11 encryption key or a 

key reserved especially for this purpose. 
20 Encryption 

The purpose of encryption between server II and smartcard 23 is to 

both hide the data (especially random numbers) and authenticate the source 

of the message. 

Either symmetric or asymmetric (public key) encryption may be used 
25 for smartcard to server communications. When public key encryption is 
used the public key need not be made public (except in an hierarchical 
system or to identify the smartcard to the server 11). 

Preferably each smartcard has its own unique key, so that in the event 
of a single key (or smartcard) being compromised the entire system is not 
30 compromised. The server 11 uses a different key for communicating with 
each smartcard. 

Alternatively, cards use the same key for communication with the 
server 11, which simplifies key management, but leads to potential security 
problems 

35 In the hierarchical or verification serve r system public key or a hybrid 

t-uicryplioii scheme may be preferred as it i if.l les a feature whore each of the 



WO 98/35309 



PCT/AU98/00072 



servers is able to decode messages from the smartcard without possibility of 
any server II compromising the system by forging messages. 

To further prevent tampering messages may be padded out with extra 
data, prior to encryption, that is randomly generated each time a message is 
5 sfiul. The messages may also be padded out to the same length each time. 
Each time an encrypted message must, be resent (eg. due to a system error) it 
will be different. It will not therefore be possible to determine which 
messages arc associated with which events. The recipient may ignore the 
extra data. 
10 Server 

The server II functions much as a server for a traditional distributed 
gaming system would, with some additional features: 

• An account is maintained for each smartcard that exists. In addition to 
player accounting and games information the account holds the 

15 encryption key(s) used for the smartcard and other information required to 

monitor security. 

• Software to detect tampering. 

• Encryption for smartcard communications and highly secure storage of 
smartcard keys. 

20 • The server II reads the game type played and verifies the gamble. The 
outcome and amount bet are used to adjust the players account. Any 
discrepancy between the server determined result and that of the game 
console are either system bugs or an attempt at tampering. 
Security Server 

25 Ensuring security of the server II may be a difficult and expensive 

process. In theory any software modifications on the server II require 

complete recertification of the software. 

An encryption server 113 (See Figure 9) may be provided to physically 

separate the functions of the server 11 and encryption. When software 
30 unrelated to security is changed on the server 1 1 the security system does not 

need to be recertified. All communications between the server 11 and 

consoles 12 passes through the security server 113. 

To match the band width of the game server 11 and security server 1*13 

to the application one or more game servers 11 may be used with one or more 
35 security servers 113, in any combination. 

Hierarchical Snrver Architecture 
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A large network may be constructed containing an hierarchy of servers 
(See Figure 10). The function of the servers is somewhat different to that 
described for a single server system. Advantages over a single level network 
arc possible: 

5 • When random numbers are generated by the top level server 111 the . 

games cannot operate without it, ensuring a high level of control. The top 
level server 11 1 is able to maintain highly accurate accounting of the 
entire system. 

• The lower level servers 112 need not have a high level of .security if they 
10 are not involved in payouts, in which case payouts arc determined by a 

higher level server 111 that does have high level security. 

• The low level servers 112 are used for local monitoring and accounting 
and can improve response time. 

• In a very large system the load is distributed across multiple servers. 
15 Lower level servers 112 off load communications traffic. 

• Communications from the console 12 to its server 11 must be relatively 
fast to keep games responsive. Communications between the levels of 
server need not be fast, if the top level server 111 generates a large number 
of random numbers and downloads them to the lower level servers 112 for 

20 later use. Games can proceed without immediate communication to the 

top level server 111 until the supply of random numbers runs out. 

Smartcards 23 may use public key encryption (or digital signatures) on 
game outcome messages, with the public key known to each of the 
appropriate levels of servers. In this implementation both the low level 
25 server 112 and higher level server 111 can keep track of games and 

accounting information. The low level server 112 can verify transactions, but 
not modify them. 

Examples of possible implementations are:- 

State wide networks spanning an entire state, such as Nevada in the 
30 USA or Victoria in Australia. The lower level servers 112 would be located 
in casinos or clubs and the top level server 111 controlled by the governing 
body of that state. 

On Internet a central high security server 113 distributes games 
(including random numbers) to lower security servers. The lower level 
35 servers 112 have a reduced responsibility to not loose games or results, but 
sinc:e it: is rot possible cr them c tamper with games, security requirements 
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are reduced. Attempt's to tamper are easily detected by the top level server 
111. 

A low level server 112 is implemented on an aeroplane. 
Communications between the aeroplane server 112 and ground based high 
5 level, high security server 113 may be slow, or only used wlu-m the plane has 
landed. 

Verification Server 

In an alternate implementation verification of games and accounts also 
takes place on a verification server, in addition to verification by the normal 

10 game server. This enables enhanced security as some types of tampering at 
the game server can be detected, depending on the system implementation 
used. The verification server may be run, for example, by a government 
controlled regulator to audit commercial establishments. 

Copies of all communications to the smartcard affecting game 

15 outcomes, from the smartcard to server reporting game outcomes, and 
acknowledgments, are sent by the game server to the verification server. 

Messages are encrypted, such that the verification server can read 
messages between the game server and smartcard. This may require that the 
verification server has the encryption keys shared by the game server and 

20 smartcard, or that an encryption method is used that allows a three way 

secure communication. Preferably, the game and verification server cannot 
forge the identity of the other. 
Verification Mode 

The. secure storage means may be provided with a verification mode in 

25 which the memory contents of the secure storage means may downloaded to 
an external device. Preferably, in the interests of security, secret encryption 
keys stored within the secure storage means are nol disclosed. Crytographic 
technuiques are used to ensure only an authorised party is able to initiate the 
verification mode. Typically it is the server using its secret key which is 

30 authorised, but other parties may be used when the secure storage means is 
provided with a secret verification key. Preferably invocation of device 
verification disables the secure storage means from futher use, except for 
device verification, and minimal changes are made to memory contents. 
Downloaded Console Code 

35 Traditional gaming machines d ) not allow the downloading of code 

because tampered code can cheat the s /. t mi Ve :i us^ console seciTitv ivS 
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solely dependent on tin; smarlcard and encrypted communications, then it is 
perfectly reasonable to download code to the console 12 as part of the game 
package. No possible code can compromise the security of I ho system, 
except in so far as it may mislead the player into the nature of the game 
5 being played. However, to further enhance security, code may be 

authenticated with methods such as digital signatures or encryption. 

It will be appreciated by persons skilled in the art that numerous 
variations and/or modifications may be made to the invention as shown in 
the specific embodiments without departing from the spirit, or scope of the 
10 invention as broadly described. The present embodiments are, therefore, to 
be considered in all respects as illustrative and not restrictive. 
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CLAIMS: 

1. A method of operating a gaming system including at least one gaining 
console, the console including secure storage means and a user interface 
allowing a user to initiate a game and observe a result, the method including 
the steps of: 

storing game or gamble outcome information in the secure storage 
means for use by the console to produce a game or gamble outcomn 
respectively; and 

upon receipt of a user input initiating a game, producing a game 
play sequence including a game and/or gamble outcome indication 
determined by the game or gamble outcome information stored in the 
secure storage means alone or in combination with a user input. 

2. The method of claim 1, wherein the information stored in the secure 
storage means is a sequential list of outcome information relating to a 
sequence of future games to be played on the console. 

3. The method of claim 2, wherein the game outcome information stored 
in the secure storage means, is in the form of a set of random numbers 
sufficient to generate an entire game outcome. 

4. The method of claim 1, wherein the information stored in the secure 
storage means is a random number seed from which outcome information 
relating to a sequence of future games to be played on the console is 
generated by operation of a random number generator. 

5. The method of claim 4, wherein the random number generator is 
provided as a pseudo-random number algorithm. 

G. The method of claim 4 or 5, wherein the game outcome information 
generated by the random number generator, is in the form of a set of random 
numbers sufficient to generate an entire game outcome. 

7. The method of claim 4 or 5 f wherein the outcome information is a 
random number used to determine a gamble outcome and the secure, 
processing means in the console then chooses a game outcome which will 
achieve that gamble outcome. 

8. The method. as claimed in claim 7, wherein the game outcome chosen 
depends upon the game being played. 

9. The method as claimed in any one of claims 7 or 8, wherein the game 
is chosen by the player. 
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10. The method as claimed in any one of claims 7, 8, or 9, wherein the 
game is chosen by the console. 

11. The method as claimed in any one of claims 7, 8, 9 or 10, wherein the 
game being played includes a plurality of game outcomes corresponding to 

5 the gamble outcome corresponding to the random number and one of the 
game outcomes, is chosen by the console. 

12. The method as claimed in any one of claims 10 or 11, wherein games 
or outcomes chosen by the console are chosen at random. 

13. The method as claimed in any one of claims 10 or 11, wherein games 
10 or outcomes chosen by the console arc chosen sequentially. 

14. The method as claimed in any one of the preceding claims wherein the 
secure storage means is removably connectable to or readable and writable 
by the console. 

15. The method of claim 14, wherein the information relating to future 

15 game outcomes stored in the secure storage means is stored before the secure 
storage means is connected to the console. 

16. The method of claim 15, wherein the secure storage means is a 
programmable card which is preprogrammed with outcome information 
before or after acquisition by a user and is inserted into the console by the 

20 user to produce one or more game outcomes on the respective console. 

17. The method as claimed in any one of claims 1 to 10, wherein the 
production of the game or gamble outcome determination is performed in a 
secure processing means connected to the secure storage means by way of a 
secure communications path. 

25 18. The method as claimed in claim 17, wherein communications over the 
secure communications path are secured by encryption. 

19. The method as claimed in claim 17, wherein communications over the 
secure communications path are secured by physical security means. 

20. The method as claimed in any one of claims 17, 18 or 19, wherein the 
30 secure processing means is a smartcard or smartcard chip which is 

permanently fixed in the console. 

21. The method as claimed in any one of claims 1 to 13, wherein the 
secure storage means is a smartcard or smartcard chip which is permanently 
fixed in the console. 

35 22. The method as claimed in any one of claims 1 to 20, wherein the 

secure storage means is a smartcard which is removable from the console. 
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23. The method of claim 21 or 22, wherein the secure storage means 
carries player identification and credit information. 

24. The method of any one of claims 1 to 14, wherein a gaming server is 
provided and is in communication with each gaming console, the gaming 

5 server being arranged to calculate the outcome information in relation to a 
game for storage in a secure storage means and to send outcome signals to 
the console in which the secure storage means is located, the method 
including the steps of: 

in the gaming server, precalculating data which partially or 
10 completely defines an outcome of at least one game on one console, 

and generating and sending to the respective console a signal 
indicating the precalculateri data prior to a user initiating the game 
on the console; 

in the console, receiving the data signal and storing the data as 
15 part or all of the game or gambleoutcome information in the secure 

storage means. 

25. The method of claim 24, wherein the console, upon receipt of the user 
. input to initiate a game, generates and sends a signal to the gaming server 

indicating that the stored information has been used to determine the 
20 respective game or gamble outcome. 

26. The method of any one of claims 1 to 14, wherein a gaming server is 
provided and is in communication with each gaming console, and each 
console, upon receipt of the user input to initiate a game, geiieraU-js and 
sends a signal to the gaming server indicating that the stored information has 

25 been used to determine the respective game or gamble outcome. 

27. The method as claimed in claim 24, 25 or 26, wherein the gaming 
server additionally performs the function of an accounting server whereby 
the accounting server is arranged to maintain credit account information in 
relation to a player playing a game on the gaming system and to send 

30 accounting information to the console on which the player is playing. 

28. The method as claimed in any one of claims 1 to 26, wherein an 
accounting server is provided and is in communication with each gaming 
console!, the accounting server being arranged to main lain credit account 
infoimition in relation to a player playing a game on the gaming system and 

35 to senc *\< counting information to the console on which the player is playing. 
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29. The method of claim 27 or 20. wherein the console, upon receipt by of 
the user input to initiate a game, generates and sends data to the accounting 
server to allow the accounting server to update the players account. 

30. The method of claim 24, wherein the console communicates to the 
gaming server data to enable the gaming server to verify the game. 

31. The method of any one of claims 24 to 30, wherein the console saves 
data sent, to each server and upon receipt of a secure signal indicating that 
the respective server has received the data then deletes the data from 
memory. 

32. The. method of any one of claims 24 to 31, wherein the precalculated 
data is transmitted from the game server to the secure storage means in the 
console and the game verification data is transmitted by the secure storage 
means to the game server. 

33. The method of claim 27, 28 or 29, wherein the accounting data is 
transmitted from the server to the secure storage means in the console. 

34. The method of claim 25 or 26, wherein the secure storage means, is not 
in communication with the gaming server when the game is played, and each 
time the secure storage means is next connected to the gaming server, it will 
generate and send a signal to the server indicating the stored game outcome 
information that has been used. 

35. The method as claimed in any one of claims 24 to 34, wherein signals 
generated by the server and console to transmit game outcomes or to indicate 
game play, are encrypted prior to being sent. 

36. The method of claim 35, wherein encrypted signals are each provided 
with a piece of unique information prior to encryption such that different 
signals containing the snme game information are different to one another 
after encryption. 

37. The method as claimed in any one of claims 24 to 36. wherein the 
server includes an auditing function to check the game and/or gamble 
outcome data returned from the secure device in the console. 

38. The method as claimed in claim 35, 36 or 37, wherein the game 
outcome calculation and the encryption and decryption of signals to and 
from the game server are performed in the console by the smarlcard. 

39. The method as claimed in any one of claims 24 to 38, wherein an 
hierarchical network of gaming server" are provided with the console 
connected to a low order. I< v ;r cu i i m- 1 work server which performs low 
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security and routine control and communication, while passing high security 
signals to higher level gaming servers having higher security. 

40. The method as claimed in claim 1, wherein the game or gamble 
outcome information represents a plurality of predetermined gamble 

5 outcomes which are stored in the secure storage means. 

41. The method as claimed in claim 40, wherein the game outcome 
information is stored as a list of values representing a plurality of game 
outcomes. 

42. The method as claimed in claim 41, wherein all unused values in the 
10 secure storage means, except for an initial value, are hidden and playing 

games discloses the values one by one. 

43. The method as claimed in claim 40, wherein the game outcome 
information is stored as an initial value representing a game outcome, and 
values representing subsequent games are generated from the initial value 

15 using a pseudo-random number algorithm. 

44. The method as claimed in claim 40, 41, 42 or 43, wherein the secure 
storage means is a smartcard nr smartcard chip. 

45. The method as claimed in claim 44, wherein the player can redeem the 
smartcard device at any time for the amount of the last disclosed value. 

20 46. The method as claimed in claim 45, wherein the redemption of the 
value on the smartcard is carried out via secure communication between 
smartcard and an accounting server. 

47. The method as claimed in claim 45 or 46, wherein the last disclosed 
value of the smartcard is the sum of the value of gamble outcomes for all 

25 games played on the smartcard. 

48. The method as claimed in claim 45, 46 or 47, wherein upon initiation 
of a game by a player, the console retrieves the new value of the smartcard 
device and displays an appropriate game sequence. 

49. The method as claimed in claim 48, wherein the player acquires a 
30 smartcard device with a fixed number of values. 

50. The method as claimed in claim 49, wherein the smartcard device is 
provided with a list of predetermined outcomes, and game play includes a 
step in which the player makes a bet on the outcome of each game. 

51. The method as claimed in claim 50, wherein for each outcome 
35 disclosed the player first makes a bet. which is written to non-volatile 



WO 98/35309 



PCT/AU98/00072 



memory in the smartcard device, and the total value owed to the player is 
calculated from the wins and losses for each bet and outcome. 
52. The method as claimed claim 5/1, wherein the player redeems the 
smartcard device for a latest value owed to the player. 
5 53. The method as claimed in claim 52, wherein the secure storage on the 
smartcard device is accessed via controlled access provided by the smartcard 
device. 

54. The method as claimed in claim 53, wherein the secure storage on the 
smartcard is accessed via a secure communications system within the 

10 console. 

55. The method as claimed in claim 54, wherein the secure 
communications system is provided by a further smartcard device. 

5G. The method as claimed in any one of claims 40 to 55, wherein the 
smartcard device is programmed with multiple functions, only one of which 
15 is a gaming accelerator. 

57. The method of claim 56, wherein the smartcard device is programmed 
for use as an ID card and/or a credit card and/or a bank ATM card. 

58. The method of claim 57, wherein the protocol to access the smartcard 
device is compatible with another mode of the smartcard. 

20 59. The method as claimed in any one of claims 24 to 39, wherein the 
console sends a signal to the secure storage means describing a state of a 
game being played to the game to the server. 

GO. The method of claim 59; wherein the secure storage means encodes the 
message for transmission to the server. 

25 61. The method of claim 59 or 60. wherein the message indicates start of 
game, end of game, player selections, game type, or amount bet. 
62. A gaming system including at. least one gaming console, the console 
including secure storage means and a user interface allowing a user to 
initiate a game and observe a result,. the system including: 

30 secure storage means for storing game or gamble outcome 

information used by the console to produce a game or gamble 
outcome; and 

game control means in the console arranged to receive a user 
input initiating a game and to produce a game play sequence 
35 incl rling a game and/or gamble outcome indication determined by 
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the game or gamble outcome information stored in the secure storage 
means alone or in combination with a user input. 
63. The system of claim 62, wherein the information stored in the secure 
storage means is a sequential list of outcome information relating to a 
5 sequence of future games to be played on the console. 

G4. The system of claim 63, wherein the game or gamble outcome 
information stored in the secure storage means, is in the form of a set of 
random numbers sufficient to generate an entire gamble outcome. 
65. The system of claim 64, wherein the information stored in the secure 

10 storage means is a random number seed from which outcome information 
relating to a sequence of future games to be played on the console is 
generated by operation of a pseudo-random number algorithm. 
GG. The system of claim 65, wherein the game outcome information 
generated by the pseudo-random number algorithm, is in the form of a set of 

15 random numbers sufficient to generate an entire game outcome. 

tBf|r:;:^^ wherein the outcome information is a random 

number indicating a gamble outcome value and the console then chooses a 
game outcome which will achieve that gamble outcome value. 

68. The system as claimed in any one of claims 62 to 67,^ wherein the 

20 secure storage means is removably connectable to or readable and writable 
by the console. 

69. The system of claim 68, wherein the information relating to future 
game outcomes stored in the secure storage means is stored before the secure 
storage means is connected to the console. 

25 70. The system of claim 69, wherein the secure storage means is a 

programmable card which is preprogrammed with outcome information 
before or after acquisition by a user and is inserted into the console by the 
user to produce one or more game outcomes on the respective console. 

71. The system as claimed in any one of claims 62 to 70, wherein a secure 
30 processing means is provided to produce the game or gamble outcome 

indication and is connected to the secure storage means by way of a secure 
communications path. 

72. The system as chiimntl in claim 71, wherein the secure processing 
means is a smartcard or smartcard chip which is permanently fixed in the 

35 console. 
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73. The system as claimed in any one of claims 62 to 67, wherein the 
secure storage means is a smartcard or smartcard chip which is permanently 
fixed in the console. 

74. The system as claimed in any one of claims 62 to 72, wherein the 

5 secure storage means is a smartcard or smartcard chip which is removable 
from the console, 

75. . The system of claim 74, wherein the secure storage means carries 
player identification and credit information. 

76. The system of any one of claims 62 lo 75, wherein a gaming server is 
10 provided in communication with each gaming console, the server being 

-arranged to calculate the outcome information in relation to a game for 
storage in a secure storage means and to send game or gamble outcome 
signals to the console in which the secure storage means is located, and the 
console including receiving means for receiving the game or gamble outcome 
15 signal and storing the information carried in the signal as the game or gamble 
outcome information in the secure storage means. 

77. The system as claimed in claim 76, wherein the server includes an 
auditing means for checking game and/or gamble outcome data returned from 
the secure device in the console. 

20 78. The system of any one of claims 62 to 75, wherein a gaming server is 
provided in communication with each gaming console, the server including 
an auditing means for checking game and/or gamble outcome data returned 
from the secure device in the console. 

79. The system as claimed in claim 76, 77 or 78, the server and console 
25 each includes encryption and decryption means to encode transmission of 

game outcomes and/or transmissions indicating game play. 

80. The system as claimed in claim 77, wherein the encryption and 
decryption means in the console is a smartcard. 

81. The system as claimed in any one of claims 76 to 80, wherein an 
30 hierarchical network of gaming servers are provided with the console 

connected lo a low order, low security network server which performs low 
security and routine control and communication, while passing high security 
signals to higher level gaming servers having higher security. 

82. The system as claimed in claim 62, wherein the game outcome 

35 information represents a plurality of predetermined gamble outcomes which 
are strrtul in the socurn sloiagu means. 
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83. The system as daiinticl in claim 82, wherein the secure storage means 
is a smartcard or a smartcard chip. 

84. The system as claimed in claim 83, wherein the secure storage device 
is arranged to keep hidden all unused values until disclosed by playing a 

5 respective game. 

85. The system as claimed in claim 84, wherein the console is arranged to 
display an appropriate game sequence in which it retrieves, the new value of 
the smartcard device upon initiation of a game by a player. 

86. The system as claimed in claim 85, wherein the smartcard device is 
10 originally provided with a fixed number of values, 

87. The system as claimed in claim 86, wherein the smartcard device is 
provided with a list of predetermined outcomes, and the console includes a 
bet input means arranged to receive a bet on the outcome of a game. 

88. The system as claimed in claim 87, wherein a non-volatile memory is 
15 provided in the smartcard device for recording player bet values , and the 

total value owed to the player. 

89. The system as claimed in claim 88, wherein the smartcard device is 
provided with controlled access means in communication with the secure 
storage means for secure communication therewith. 

20 90. The system as claimed in claim 88, wherein the console is provided 
with a secure communications system for secure communication with the 
secure storage device. 

91. The system as claimed in claim 91, Wherein the secure 
communications system is provided by a further smartcard device. 
25 92. The system as claimed in any one of claims 83 to 91, wherein the 

smartcard device which provides the secure storage means is programmed 
with multiple functions, only one of which is a gaming accelerator. 

93. The system of claim 92, wherein the smartcard device which provides 
the secure storage means, is programmed for use as an ID card and/or a credit 

30 card and/or a bank ATM card. 

94. The system of claim 93, wherein the protocol to access the smartcard 
device which provides the secure storage means, is compatable with another 
mode of the smartcard. 

95. The system as clahre i in any one of claims 76 to 81, wherein the 

35 console sends a signal to t \ : ;crvcr via the secure storage means describing a 
stato of a game being pin ' t r l m ^ame to the snvvuv. 
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96. The method of claim 95, wherein the secure storage means encodes the 
message for transmission to the server. 

97. The method of claim 95 or 96, wherein the message indicates slarl. of 
game, end of game, player selections, game type, or amount bet. 

5 98. A secure storage means for use in a gaming console which includes a 
user interface allowing a user to initiate a game and observe a result, the 
secure storage means being arranged to store game or gamble outcome 
information used by the console to produce a gamble outcome. 

99. The secure storage means of claim 98, wherein the information stored 
10 in the secure storage means is a sequential list of outcome information 

relating to a sequence of future games to be played on the console. 

100. The secure storage means of claim 99.. wherein the game outcome 
information stored in the secure storage means, is in the form of a set of 
random numbers sufficient to generate an entire gamble outcome. 

15 101. "The secure storage means of claim 100, wherein the information stored 
in the secure storage means is a random number seed from which outcome 
information relating to a sequence of future games to be played on the 
console is generated by operation of a pseudo-random number algorithm. 

102. The secure storage means of claim 101, wherein the game outcome 
20 information generated by the pseudo-random number algorithm, is in the 

form of a set of random numbers sufficient to generate an entire game 
outcome. 

103. The secure storage means of claim 101, wherein the outcome 
information is a random number indicating a gamble outcome value. 

25 104. The secure storage means as claimed in any one claims 98 to 105, 

wherein the secure storage means is arranged to be removably connec table to 
or readable and writable by the console. 

105. The secure storage means of claim 98, wherein the information relating 
to future game outcomes stored in the secure storage means is stored before 

30 the secure storage means is connected to the console. 

106. The secure storage means of claim 105, wherein the secure storage 
means is a programmable card which is preprogrammed with outcome 
information before or after acquisition by a user and is arranged to be 
inscrtable into the console by the user to produce one or mow ««ui.e 

35 outcomes on the respective console. 
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107 The secure storage means as claimed in any one of claims 98 to 106, 
wherein a secure processing means is, provided and the secure storage means 
is arranged to be connected to the secure processing means by way of a 
secure communications path, and the secure processing means is arranged to 
5 provide the gamble outcome. 

108. The secure storage means as claimed in any one of claims 98 to 103, 
wherein the secure storage means is a smarleard or smartcard chip which is 
arranged to be permanently fixed in the console. 

109. The secure storage means as claimed in any one of claims 98 to 107, 

10 wherein the secure storage means is a smartcard which is removable from the 
console. 

110. The secure storage means of claim 109, wherein the secure storage 
means carries player identification and/or credit information. 

111. The secure storage means of any one of claims 98 to 110, wherein the 
15 secure storage means is arranged to communicate with a gaming server via a 

gaming console, the server being arranged to calculate I he game or gamble 
outcome information in relation to a game for storage in the secure storage 
means and to send outcome signals to the secure storage means via the 
console, the secure storage means being arranged to receive and store the 
20 game or gamble outcome information. 

112. • The secure storage means of claim 111, wherein the game or gamble 
outcome information received by the secure storage means from the server is 
combined with existing information held by the secure storage means to 
generate a game or gamble outcome. 

25 113. The secure storage means of claim 111 or 112, wherein upon receipt by 
the console of the user input to initiate a game, the secure storage means 
generates and sends a signal via the console to the gaming server indicating 
that the stored information has been used to determine the respective game 
or gamble outcome. 

30 114. The secure storage means of any one of claims 98 to 108, wherein the 
secure storage means is arranged to communicate with a gaming server via a 
gaming console, and upon receipt by the console of the user input to initiate 
a game, the secure storage means generates and sends a signal via the console 
to the gaming server indicating that tin; stored information has been used to 

35 determine the respective game or gamble. 
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115. The secure storage means of claim 113 or 114, wherein the signal sent 
to the gaming server includes data indicating a game played or a function 
performed and the secure storgage means stores the dala sent to the server 
' until the gaming server acknowleges receipt of the signal. 
5 116. The secure storage means of claim 111, 112, 113, 114 or 1 15, wherein 
communications between the gaming server and the secure storage means is 
encrypted. 

117. The secure storage means as claimed in claim 98, wherein the game 
outcome information represents a plurality of predetermined game or gamble 

10 outcomes which are stored in the secure storage means. 

118. The secure storage means as claimed in claim 117, wherein the secure 
storage means is a smartcard or a smartcard chip. 

119. The secure storage means as claimed in claim 118, wherein all unused 
values in the secure storage means, except for the initial value, are hidden 

15 and playing games discloses the values one by one. 

120. The secure storage means as claimed in claim 119, including a fixed 
number of initial values. 

121. The secure storage means as claimed in claim 120, including an initial 
list of predetermined outcomes. 

20 122. The secure storage means as claimed in claim 121, wherein the 

outcomes are initially stored in a secure form accessible only during game 
play whereby they are disclosed one at a time as games are played. 

123. The secure storage means as claimed in claim 98, wherein for each 
outcome disclosed the player first makes a bet, which is written to non- 
25 volatile memory in the smartcard device, and the total value owed to the 

player is the sum of wins and losses for each bet and outcome. 

124. The secure storage means as claimed in claim 123, wherein the secure 
storage on the smartcard is accessed via a secure communications system 
within the console. 

30 125. The'secure storage means as claimed in claim 124, wherein the secure 
communications system is provided by a further smarlcard device. 
126. The secure slorage means as claimed in any one of claims 118 to 125, 
wherein the smartcard device is programmed with multiple functions, only 
one of which is a gaming accelerator. 
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127. The secure storage means of claim 120. wherein the smartcard device 
is programmed for use as an ID card and/or a credit, card and/or a bank ATM 
card. 

120. The secure storage means of claim 127, wherein the protocol to access 
5 the smartcard device is compatible with another mode of the smartcard. 

129. A secure removable control device for use in a gaming console which 
includes a user interface allowing a user to initiate a game and observe a 
result, the control device being arranged to supply game or gamble outcome 
information used by the console to produce a game outcome. 
10 1 30. The control device of claim 129, wherein the information supplied by 
the control device is a sequential list of outcome information relating to a 
sequence of future games to be played on the console. 

131. The control device of claim 130, wherein the game outcome 
information supplied by the control device, is in the form of one or more 

15 random or pseudo-random numbers sufficient to generate an entire game 
outcome. 

132. The control device of claim 130, wherein the outcome information is a 
random number indicating a gamble outcome . 

133. The control device as claimed in any one of claims 129 to 132, wherein 
20 a secure processing means is provided within the control device, the secure 

processing means being arranged to provide the game outcome indication 

134. The control device as claimed in any one of claims 129 to 132, wherein 
a secure processing means is provided, connected to the control device by 
way of a secure communications path, and the secure processing means 

25 being arranged to provide the game outcome indicatioa 

135. The control device as claimed in claun 134, wherein the secure 
processing means is a smartcard or smartcard chip which is permanently 
fixed in the console. 

136. The control device as claimed in any one of claims 129 to 134, wherein 
30 the control device is a smartcard or smartcard chip which is permanently 

fixed in the console. 

137. The control device as claimed in any one of claims 129 to 134, wherein 
the control device is a smartcard which is removable from the console. 

138. The control device of claim 136 or 137, wherein the control rev.cn 
35 carries player identification and/or credit information. 
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139. The control device of any one of claims 129 to 138, wherein the control 
device is arranged to communicate with a gaming server via the gaming 
console. 

140. The control device of claim 139, wherein upon receipt by the console 
5 of the user input to initiate a game, the control device general es and sends a 

signal viaL the console to the gaming server and/or an accounting server 
indicating the details of the game outcome information that has been used to 
determine the respective game or gamble outcome. 

141. The control device of claim 139 or 14U, wherein communications 
10 between the control device and the server is secured by encryption. 

142. The control device as claimed in claim 129, wherein the game outcome 
information represents a series of game or gamble outcomes which are 
supplied by the control device. 

143. The control device as claimed in claim 142, wherein the control device 
15 is a smartcard or a smartcard chip. 

144. The control device as claimed in claim 143, wherein for each game 
outcome the player first makes a bet, which is written to non-volatile 
memory in the smartcard device, and the total value owed to the player 
calculated from wins and losses for each bet and outcome. 

20 145. The control device as claimed in claim 144, wherein the secure storage 
on the smartcard is accessed via a secure communications system within the 
console. 

146. The control device as claimed in claim 145, wherein the secure 
communications system is provided by a further smartcard device. 
25 147. The control device as claimed in any one of claims 143 to 146, wherein 
the smartcard device is programmed with multiple functions, only one of 
which is a gaming accelerator. 

148. The control device of claim 147, wherein the smartcard device is 
programmed for use as an ID card and/or a credit card and/or a bank ATM 

30 card. 

149. The control device of claim 148, wherein the protocol to access the 
smartcard device is an extension of another mode of the smartcard. 

150. A virtual casino system including a gaming server, a gaming console 
and at least one virtual griming machine operable via the console, each 

35 virtual gaining machine having its own accounting, and combinations, and 
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each virtual machine being uniquely identified and capable of being returned 
to at any time by the player. 

151. The virtual casino system of claim 150, wherein each virtual machine 
is only capable of being returned to for play by the player provided it is not 
in use by another player. 

152. The virtual casino system of claim 150 or 151, wherein a player can 
observe on the console the operation of a virtual machine while it is in use 
by another player. 



WO 98/35309 



PCT/AU98/00072 



1/10 




WO 98/35309 



PCT/AU98/00072 



2/10 




WO 98/35309 



PCT/AU98/00072 



3/10 




OS 



N 

Q 



lb 



<3 



<0 




WO 98/35309 



PCT/AU98/00072 



4/10 



SERVER 



C0A/30LE 



CARD 



RIMER 



START GAME\y fZ3 
RLAr 



M/rFORftJr£R\^1ZO 

ro press "RLAr* 

\ 



PRESS PLAY 



REQUEST GAME 
OUTCOME 



1 



fZd 



GENERATE GAME OUTCOME 



■130 



WRITE GAME TO EERROM 



SEND ENCRYPTED 
GAME OUTCOME 
TO SERVER 



I 



t3z 



1 





SEND GAME 0 
ENCRYPTED 6 A 


VTCOME & 
ME OUTCOME 


ENCRYPTED 




UNENCRYPTED 



D/SPiAY GAME 
OUTCOME TO PLAYER 



ADJUST ACCOUNT/A/G 

AND SEND 
ACKNOWLEDGEMENT 



SEND 
ACKNOWLEDGEMENT 



5 



/34- 



ERASE GAME 
OUTCOME 
FROMEEPRONA 



DONE\ 



X35 



FIO. 4- 



WO 98/35309 



PCT7AU98/00072 



5/10 



-203 









( ^ 


PIAYER 


FACE 




FACE 


CAROS 


i/P 




UP 

















( \ 


DEALER 






FACE 


CAKDS 


UP 




DOWA/ 

















/%5. 5" 



WO 98/35309 



PCT7AU98/00072 



6/10 



1 



p 



! 
1 



WO 98/35309 



PCT/AU98/00072 



7/10 



SERVER 



CONSOLE 



5MARFCARD 



(m/t/al/sat/qa^ 



HO 



107 
f08 



REQUEST MORE 
RANDOM NUMBER 



I 



GENERATES 
TRWSM/T SEEPS 



1Z1 , 



I 



F/LL3UFFER\ 




FROM BUFFER 
I 



SEA/P SEED </SZ 
FO S/MRTCARD' 



/Z<* _T RECflUE SEED 



j 



EL4V GAME J-fZS 



F/O. 7 



WO 98/35309 



PCT/AU98/00072 




. WO 98/35309 



PCT/AU98/O0O72 



9/10 






ll 



5 



i 



WO !>8/35309 



PCT/AU98/00072 



10/10 




f^A INTERNATIONAL SEARCH REPORT 


International Application No. 




PCt/AU 98/U0072 



A. CLASSIFICATION OK SUBJECT MATTER 



Int Cl 0: GG6F 17/(50 

According to International Patent Classification (IPC) or to both national classification and IPC 
B. FIELDS SEARCHED 



Minimum documentation searched (classification system followed by classification symbols) 
IPC G06F 17/60, 17/00, 15/44, A63F 9/22, 9/24 

Documentation searched other than minimum documentation to the extent that such documents are included in the fields searched 
AU: IPC as above 



Electronic data base consulted during the international search (name of data base and, where practicable, search terms used) 
WPAT: (POKER()MACHINE# or FRLUT()MACHINE# or SLOT()MACHINEtf OR GAM:()MACHINE#) and 
SERVER; 

(POKER OR FRUIT OR GAM:) and (SERVER) 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category* ; Citation of document, with indication, where appropriate, of the relevant passages 



Relevant to claim No. 



X J AU, A, 44278/96 (ARISTOCRAT INDUSTRIES PTY. LTD.) 25 July 1996 
X i AU, B, 27192/95 (686824) (ACRES GAMING INC.) 2 May 1996 
US, A, 4636951 (HAKLICK) 13 January 1987 



98, 150-152 
98, 150-152 
98, 150-152 



j~| Further documents arc listed in the 
continuation of Box C 



See patent family annex 



* Special calegoi ies of cited documents: 

"A" document defining the general state of (lie art which is 
not considered to be of particular relevance 

"H" earlier document but published on or aller the 
international filing date 

"I," document which may throw doubts on priority claim(s) 
or which is cited to establish the publication date of 
another citation or other special reason (as specified) 

"()" document referring to an oral disclosure, use, 
exhibition or other means 

"P" document published prior to the international filing 

date but later than the priority date claimed 



"T" later document published after the international filing dale or 
priority date and not in conflict with the application but cited to 
understand the principle or theory underlying the invention 

"X" document of partieular relevance; the claimed invention cannot 
be considered novel or cannot be considered to involve an 
inventive step when the document is taken alone 

" Y" document of particular relevance; the claimed invention cannot 
be considered to involve an inventive step when the document is 
combined with one or more other such documents, such 
combination being obvious to a person skilled in the art 
document member of the same patent family 



Date of the actual completion of the international search 
15 April 1998 



Name and mailing address of the 1SA/AU 
AUSTRALIAN PATENT OFFICE 

po nox 2oo 

WODRN ACT 2606 
AUSTRALIA 

Facsimile No.: i*()2H>2S5 3929 



Date of mailing of the international search report 

2 3 APR If" 




Form 1VIVISA/2 10 {'second si ;;U) Ji r ' ' :npiow 



} INTERNATIONAL SEARCH REPORT 

Information on patent family members 



This Annex lists the known "A" publication level patent family members relating to the patent documents cited 
in the above-mentioned international search report. The Australian Patent Office is in no way liable for these 
particulars which are merely given for the purpose of information. 



Patent Document Cited in Search 
Report 






Patent Family Member 






AU 


44278/96 


WO 


9622586 










All 


35878/95 


US 


5655961 


WO 


9612262 


US 


5702304 


US 


4636951 


AT 


1451/84 


AU 


27572/84 


DE 


3416229 






ES 


531967 


GB 


2139390 


JP 


59209374 






NL 


8401380 


ZA 


8403276 









International Application No. 
PCT/AU 98/00072 



END OF ANNEX 



v |) :.- ,i r. x t) (\ ; tily 19*>2) oiprnw 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 

BEST AVAILABLE IMAGES 

Defective images within this document are accurate representations of the original 
documents submitted by the applicant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SIDES 

□ FADED TEXT OR DRAWING 

□ BLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

□ LINES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: 

IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



